Cyber Incident Victim: Marina Bay Sands
Date:
Oct 2023
Location:
Singapore
Summary
Marina Bay Sands experienced a cyberattack compromising personal data of 665,000 loyalty program members, including names, contact details, and membership numbers. The resort detected unauthorized access, engaged cybersecurity experts, and found no evidence of data misuse, with casino rewards data unaffected. Authorities were notified, and impacted individuals are being contacted. This incident follows similar breaches affecting major hotel and casino operators, heightening industry concerns over targeted cyber threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 19, 2023, hackers breached the systems of Marina Bay Sands, a prominent Singaporean integrated resort featuring a 2,200-room hotel and one of Asia’s largest casinos. The company detected the intrusion on October 20 and initiated an investigation, determining that unauthorized access had occurred to customer data within its loyalty program database. The compromised information included names, email addresses, phone numbers, countries of residence, and membership numbers belonging to 665,000 individuals. Marina Bay Sands clarified that its casino rewards program, Sands Rewards Club, remained unaffected by the breach. Upon discovery, the organization engaged a cybersecurity firm to remediate the incident and contained the breach promptly. While confirming data exfiltration, the company stated it found no evidence of misuse of the stolen information to harm customers as of the disclosure date. Notifications were sent to impacted customers, and authorities in Singapore and other relevant jurisdictions received formal reports of the incident.
The breach occurred amid a series of high-profile cyberattacks targeting major hotel and casino operators, including ransomware incidents at MGM Resorts and Caesars Entertainment in the United States during the same period. Industry analysts noted these attacks heightened security concerns across the hospitality sector. Marina Bay Sands emphasized that critical personally identifiable information such as social security numbers and financial data were not compromised. Cybersecurity experts warned that the stolen data—particularly email addresses and phone numbers—could facilitate follow-on social engineering attacks or phishing campaigns against victims. The company did not disclose technical details regarding the attackers’ methods, entry vectors, or specific containment measures beyond collaboration with external cybersecurity professionals. Financial impact estimates were not provided, contrasting with MGM Resorts’ earlier disclosure of a $100 million loss from its breach. Marina Bay Sands maintained operational continuity throughout the incident response.