Case Details
- Citation: [2025] SGPDPC 6
- Court: Intellectual Property Office of Singapore
- Date: 2025-11-28
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Marina Bay Sands Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation, Data Protection – Financial penalty
- Statutes Referenced: CCCS Standard relates to infringements under the Competition Act, Competition Act, Competition Act 2004, Electricity Act, Incident disclosed any breaches of the Personal Data Protection Act, PDPA and the Competition Act, Personal Data Protection Act, Telecommunications Act
- Cases Cited: [2017] SGPDPC 10, [2017] SGPDPC 14, [2019] SGPDPC 3, [2022] SGPDPC 9, [2023] SGPDPC 12, [2023] SGPDPC 13, [2023] SGPDPC 5, [2023] SGPDPC 6, [2023] SGPDPCS 5, [2023] SGPDPCS 4
- Judgment Length: 82 pages, 16,294 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated a data breach incident at Marina Bay Sands Pte. Ltd. (the Organisation), where a threat actor gained unauthorised access to the personal data of approximately 665,495 Sands Rewards Lifestyle (SRL) members. The PDPC found that the Organisation had breached its data protection obligations under the Personal Data Protection Act 2012 (PDPA) due to insufficient security arrangements and a failure to implement processes to mitigate the risks of human error. The PDPC imposed a financial penalty on the Organisation as a result.
What Were the Facts of This Case?
On 25 October 2023, the PDPC received a notification from the Organisation about a data breach incident. The incident involved a threat actor using the account credentials of six existing SRL members to access the customer records of approximately 665,495 SRL members (the "Affected Data"). Investigations revealed that the Affected Data was exfiltrated and made available for sale online on the dark web.
The Organisation operates various membership programmes, including the SRL programme, which allows members to earn and redeem loyalty points. As part of these programmes, the Organisation collected personal data of approximately 1.9 million individuals, including their names, email addresses, phone numbers, countries of residence, and membership information.
Prior to the incident, the Organisation had implemented various security measures, including segregated and differentiated access controls, a password policy, one-time password verification, and an access token verification policy. The Organisation had also implemented other data protection and security policies, guidelines, and procedures, and obtained relevant certifications.
However, the investigations revealed that the incident was caused by a misconfiguration error during the Organisation's migration to a new middleware software platform. Specifically, an employee tasked with manually replicating the API configurations from the old platform to the new platform inadvertently omitted the external ArtScienceMuseum calling app ID from the inventory list. As a result, the access token verification policy did not apply to the ArtScience Friends (ASF) webpage, allowing the threat actor to access the personal data of other SRL members through the compromised ASF accounts.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its data protection obligations under section 24 of the PDPA, which requires organisations to "protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks."
Specifically, the PDPC had to determine whether the Organisation's security arrangements were reasonable and whether it had failed to implement processes to mitigate the risks of human error, which led to the data breach incident.
How Did the Court Analyse the Issues?
The PDPC examined the security measures implemented by the Organisation prior to the incident, including the segregated and differentiated access controls, password policy, one-time password verification, and access token verification policy. The PDPC found that these measures were generally reasonable and in line with industry standards.
However, the PDPC identified the misconfiguration error during the migration to the new middleware platform as a key failure in the Organisation's security arrangements. The PDPC noted that the Organisation had opted to manually replicate the API configurations, which led to the inadvertent omission of the external ArtScienceMuseum calling app ID from the inventory list. This oversight resulted in the access token verification policy not being applied to the ASF webpage, creating a vulnerability that the threat actor exploited.
The PDPC also found that the Organisation had failed to implement adequate processes to mitigate the risks of human error during the migration exercise. The PDPC highlighted that the Organisation should have had more robust testing and validation procedures in place to ensure the effective implementation of the access token verification policy across all its webpages.
What Was the Outcome?
Based on its findings, the PDPC concluded that the Organisation had breached its data protection obligations under section 24 of the PDPA. The PDPC noted that the Organisation had taken prompt remedial actions, such as deactivating the compromised accounts, enabling the access token verification policy for the ASF webpage, and enhancing its security monitoring and software configuration testing processes.
However, the PDPC also determined that the Organisation's failure to have adequate processes in place to mitigate the risks of human error during the migration exercise was a serious breach that warranted a financial penalty. The PDPC imposed a financial penalty of $1.5 million on the Organisation, taking into account factors such as the scale of the data breach, the sensitivity of the personal data involved, and the Organisation's annual turnover.
Why Does This Case Matter?
This case highlights the importance of organisations having robust security measures and processes in place to protect personal data, particularly in the context of software migrations and system changes. The PDPC's decision emphasizes that organisations must not only implement reasonable security arrangements but also have effective mechanisms to mitigate the risks of human error, which can lead to significant data breaches.
The case also demonstrates the PDPC's willingness to impose substantial financial penalties on organisations that fail to fulfill their data protection obligations, even if they have taken remedial actions. This serves as a strong deterrent for organisations to prioritize data protection and security, and to have appropriate safeguards and processes in place to prevent and respond to data breaches.
For legal practitioners, this case provides valuable insights into the PDPC's approach to evaluating the reasonableness of an organisation's security arrangements and its assessment of financial penalties. It highlights the importance of organisations maintaining comprehensive data protection policies, procedures, and controls, as well as the need for thorough testing and validation during system changes to mitigate the risks of human error.
Legislation Referenced
- CCCS Standard relates to infringements under the Competition Act
- Competition Act
- Competition Act 2004
- Electricity Act
- Personal Data Protection Act 2012 (PDPA)
- Telecommunications Act
Cases Cited
- [2017] SGPDPC 10
- [2017] SGPDPC 14
- [2019] SGPDPC 3
- [2022] SGPDPC 9
- [2023] SGPDPC 12
- [2023] SGPDPC 13
- [2023] SGPDPC 5
- [2023] SGPDPC 6
- [2023] SGPDPCS 5
- [2023] SGPDPCS 4
Source Documents
This article analyses [2025] SGPDPC 6 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.