Marina Bay Sands' Sands LifeStyle rewards programme sees data security breach

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

Singapore hotel group Marina Bay Sands (MBS) has issued an email to its Sands LifeStyle rewards programme members informing them of a "data security incident". It explained that a third-party member obtained unauthorised access to the personal data of some members during the incident.

The incident happened on 19 and 20 October, according to MBS and it became aware of it on 20 October.

Don't miss: Marina Bay Sands inks multi-year partnership with Scuderia Ferrari ahead of SG GP

"Based on our current investigation findings, your personal data was accessed in the incident," it said.

Upon discovery of the incident, MBS immediately took action to resolve it. Investigations have since determined that an unknown third party accessed customer data of about 665,000 non-casino rewards programme members, it said.

Personal data that might have been affected include names, email addresses, phone numbers, countries of residence and Sands LifeStyle membership numbers and tiers.

"Based on our investigation, we do not have evidence to date that the unauthorised third party has misused the data to cause harm to customers," added MBS. It also added that it does not believe that membership data from its casino rewards programme, Sands Rewards Club, was affected.

MBS explained that it has launched an investigation and is working with an external cybersecurity firm in lieu of the incident. It has also taken action to further strengthen its systems and protect its data and has reported the incident to relevant authorities in Singapore and other countries where applicable.

MBS is just one of the many local brands who have been hit by data breaches. In August, online cashback portal ShopBack fined SG$74,400 after personal data leak affecting millions of customers that affected millions of its customers, according to the PDPC in a written judgement.

ShopBack first reported an incident involving unauthorised access to its customer data servers on 25 September, 2020. It also informed its customers in tandem.

Based on what it found, PDPC determined that ShopBack did no ensure that processes to manage the AWS keys that granted access to the customer storage servers were sufficiently robust.

"While the organisation admitted that it could have done more to ensure that its employees were performing their AWS key rotation duties properly, the organisation claimed that the compromise of the AWS Key arose from human error, and not because of any systemic issue with the organisation’s security practices," wrote PDPC.

share on