MCI's Response to PQ on Data Security Incident Involving Personal Data

22 NOV 2023

Parliament Sitting on 22 November 2023

QUESTION FOR ORAL ANSWER

*9. Ms Hany Soh: To ask the Minister for Communications and Information with regard to the data security incident involving the personal data of about 655,000 members of a shopping loyalty programme operated by a luxury resort operator in Singapore (a) whether the incident was reported to the authorities and, if so, when was it reported; and (b) what was the reason provided to the authorities for the three-week delay in notifying affected members.

Answer:

  1. On 7 November 2023, Marina Bay Sands announced a breach of its customers’ loyalty programme membership data that took place on 19 and 20 October 2023. Marina Bay Sands has since notified affected individuals. 

  2. Singapore takes breaches of personal data seriously.  The Personal Data Protection Act (PDPA) requires all organisations to put in place reasonable security measures to protect the personal data in their possession or control, to prevent unauthorised access, disclosure, or modification.  The Guide on Managing and Notifying Data Breaches under the PDPA sets out clear timelines and requirements that organisations must comply with.

  3. Marina Bay Sands discovered the data breach on 20 October 2023, and notified the Personal Data Protection Commission (PDPC) on 24 October 2023.  This meets the timeframes for notification to PDPC as set out in the aforementioned Guide.1

  4. In the usual follow-up to the discovery of a data breach, there are 4 steps that organisations have to undertake. First, seek to contain the data breach – this is the utmost priority. Then, the organisation must make best efforts to assess extend to which data breach has resulted in loss of data. Thirdly, assess whether the data breach falls within the requirements for notifications. If it does, they have to report the data breach. Lastly, the organisation must evaluate their containment efforts – to assess whether they’re secure. As such, PDPC does give organisations more time before subsequent actions are taken. 

  5. PDPC is conducting investigations into this incident, including to ascertain whether there was significant harm to affected individuals and correspondingly, whether affected individuals were notified in a timely manner.  PDPC will provide their findings in due course.

  1. Organisations are required to assess whether the data breach is notifiable under the PDPA within 30 calendar days from when the organisation has credible grounds to believe that a data breach has occurred.  Upon determining that a data breach is notifiable, the organisation must notify PDPC as soon as practicable, and no later than three calendar days.  This means that organisations must notify PDPC within 33 calendar days from the discovery of the breach, if the breach is mandatory to report.