Cyberattack on Marina Bay Sands.

Singapore’s Marina Bay Sands resort has disclosed a data breach that affected the personal information of 665,000 customers, CNA reports. The breached data belonged to non-casino rewards programme members, and included names, email addresses, mobile phone numbers, phone numbers, countries of residence, and membership numbers and tiers. The incident occurred on October 19th and 20th 2023.

Customers are being contacted.

The company said in a statement, “We will be reaching out to Sands LifeStyle loyalty programme members and sincerely apologize for the inconvenience caused by this incident. We have reported it to the relevant authorities in Singapore and other countries where applicable and are working with them in their inquiries into the issue.”

Marina Bay Sands in the context of attacks on other resorts.

Darren James, a senior product specialist at Specops, an Outpost24 company, commented on the attractiveness of resorts and other highly profitable businesses to cybercriminals: 

“The data breach incident at the Marina Bay Sands hotel and casino has come to light just a few weeks after the MGM Casino breach. Once again, we see that these high profile and highly profitable organizations are becoming a more popular target for cyber criminals. We don’t have many details so far apart from unauthorized access being obtained.

“Although not confirmed in this case, this type of breach is usually gained by using compromised credentials or a socially engineered service desk and should serve as a reminder for us all that poor password hygiene (use of compromised, short passwords) should no longer be tolerated in any business environment.

“Alongside improvements to passwords, a strong second factor should be introduced wherever possible, and the service desk should be equipped with a way of verifying who is calling them for assistance.”

The attackers in this case may not have made off with PII. Sean Deuby, principal technologist at Semperis, wrote:

“Today’s disclosure of a data breach involving the Singapore-based Marina Bay Sands hotel and casino, on top of recent attacks on Las Vegas-based MGM and Caesars, has left the entire hotel and casino industry on edge.

“The silver lining in this most recent breach is that hackers don’t appear to have walked away with the crown jewels of personally identifiable information such as social security numbers and credit card data. However, by stealing other personal information about Marina Bay Sands’ loyal customers such as email addresses, and mobile phone numbers, there is a high probability that the attackers could conduct other social engineering-based attacks and phishing scams in the weeks ahead or sell the data to the highest bidders on the dark web.

“Most data breaches of this nature lead to material losses for the organization, its employees and customers. While the hotel is still assessing the magnitude of losses, the good news is that Marina Bay has a seasoned security team in place, and they will close any gaps and return the hotel and casino to full capacity as quickly as possible. I’m certain Marina Bay focuses regularly on the resiliency of their systems and run tabletop exercises that enables them to harden critical systems before attacks occur. This strategy helps reduce losses in times of crisis.

“There’s no sugarcoating the fact that when sensitive data is exposed it can be jarring to companies. However, defenders can make their organizations so difficult to compromise that hackers look for lower hanging fruit in the ecosystem to attack. And with Active Directory environments vulnerable, hackers frequently target these environments, making it imperative that organizations have real time visibility to changes to elevated network accounts and groups.”

A reminder of the importance of organizational self-assessment.

Like other major attacks, the incident at Marina Bay Sands should prompt organizations to some serious self-examination. Alastair Williams, Vice President of Worldwide Systems Engineering at Skybox Security, commented:

“In the wake of the recent Marina Bay Sands data breach, organizations need to reevaluate and enhance their cybersecurity posture to safeguard against potential vulnerabilities that could expose customers to social engineering attacks. While conventional security measures like spam filters and endpoint detection and response mechanisms can make it harder for malicious actors to breach an organization's defenses, these measures alone may fall short of providing comprehensive protection.

“Individuals must be well-informed about identifying and mitigating the risks associated with social engineering and phishing scams. Organizations should kickstart this process by adopting a holistic approach that encompasses a comprehensive view, modeling, and visualization of their entire attack surface, including IT and OT environments and all of their connections. Organizations should not limit themselves to active scanning alone; they should incorporate scanless detection techniques as well. This choice leads to continuous, non-intrusive discovery, even on assets that cannot be actively scanned, such as routers, switches, and sensitive OT devices, effectively filling the gaps between active scan events on scannable assets.

“To further fortify their cybersecurity measures, organizations should ensure they have solutions in place that can quantify the business impact of cyber risks in terms of their economic consequences. This approach aids in the identification and prioritization of the most critical threats, taking into consideration factors like the size of the financial impact and other risk analyses, including exposure-based risk scores.”