The prestigious Marina Bay Sands (MBS) resort complex in Singapore has become the latest major hospitality operation to fall victim to cyber criminals after a serious breach of its Sands LifeStyle loyalty programme, which has seen the data of 650,000 members compromised.
Self-described as Asia’s “leading business, leisure and entertainment destination”, MBS operates Singapore’s largest hotel, with 2,200 rooms and suites and a world-famous infinity pool, as well as a casino, luxury shopping mall, convention and exhibition centre, and an arts and science museum.
Its roof garden was also the finishing line for competitors in the first season of the BBC reality show Race Across The World.
The resort is owned and operated by Sands, the developer of The Venetian resort in Las Vegas and other properties in Macau, China.
The breach was first identified on 20 October, having begun a day previously when an undisclosed third-party gained unauthorised access to the firm’s systems.
“Upon discovery of the incident, our teams immediately took action to resolve it. Investigations have since determined that an unknown third party accessed customer data of about 665,000 non-casino rewards programme members,” MBS said in a statement.
“Based on our investigation, we do not have evidence to date that the unauthorised third party has misused the data to cause harm to customers.
“We do not believe that membership data from our casino rewards programme, Sands Rewards Club, was affected.
“After learning of the issue, we quickly launched an investigation, have been working with a leading external cyber security firm, and have taken action to further strengthen our systems and protect data,” said the organisation.
The compromised data is understood to include names, email addresses, mobile phone and landline numbers, countries of residence, and membership numbers and tier status. MBS is reaching out to those affected.
“[We] sincerely apologise for the inconvenience caused by this incident. We have reported it to the relevant authorities in Singapore and other countries where applicable, and are working with them in their inquiries into the issue,” the firm said.
Hospitality suppliers at risk
Although the incident has not involved ransomware or extortion and is unrelated to twin attacks on two Las Vegas resort and casino operators earlier this autumn, the incident has once again highlighted how the hospitality and leisure sectors present attractive targets to cyber criminals thanks to the nature of the data they hold on their guests.
“Organisations in the hospitality and entertainment industry that deal with sensitive customer information need to safeguard their data with a threat-informed defence system,” said Andrew Costis, chapter lead of the adversary research team at AttackIQ, which specialises in breach and attack simulation.
“Although it is important to employ continuous evaluation of existing controls to uncover any gaps that threat actors can exploit, it is imperative to adopt a more proactive approach,” added Costis. “Studying the common tactics, techniques and procedures used by common threat actors will allow organisations to test their cyber defences, building a more resilient security detection, prevention and response programme.”
Sean Deuby, principal technologist at Semperis, a specialist in Active Directory protection, added: “[The] disclosure of a data breach involving the Singapore-based Marina Bay Sands hotel and casino, on top of recent attacks on Las Vegas-based MGM and Caesars, has left the entire hotel and casino industry on edge.
“The silver lining in this most recent breach is that hackers don’t appear to have walked away with the crown jewels of personally identifiable information [PII] such as social security numbers and credit card data,” Deuby told Computer Weekly in emailed comments. “However, by stealing other personal information … there is a high probability that the attackers could conduct other social engineering-based attacks and phishing scams in the weeks ahead or sell the data to the highest bidders on the dark web.”