Marina Bay Sands hotel group latest hospitality target for hackers

Luxury Singapore hotel group Marina Bay Sands (MBS) has issued an email to its Sands LifeStyle rewards programme members informing them of a “data security incident”.

In a public statement the security incident — which is thought to have affected around 665,000 customers — occurred on 19 to 20 October and involved unauthorised third-party access to its non-casino customers’ loyalty programme membership data.

Based on its investigation so far, the hotel group claimed that there was no evidence to date that the unauthorised third party has used the data “to cause harm to customers”.

The leaked data included personally identifiable information such as customer names, email addresses, phone numbers, country of residence, membership numbers and tiers.

This information could be used in phishing campaigns targeting some of the said customers.

After discovering the incident on 20 October, the hotel said that it took immediate action, working with an external cyber security firm to strengthen its systems and protect its data.

The hospitality group said that it was also reaching out to its Sands Lifestyle loyalty programme members to apologies for the inconvenience caused by this incident and have reported it to the relevant authorities in Singapore and other countries where applicable.

The hospitality industry has been a focus for hackers this year, after to major breaches at resort groups MGM and Caesars Entertainment in the US in September and October respectively.

According to one Trustwave report over a third of hospitality organisations have reported a data breach in their company’s history, with 89% of the hotels, restaurants, cruise ships, and other hospitality businesses sustaining more than one breach a year.

Commenting on the Marina Bay Sands breach, Javad Malik, a lead security awareness advocate at KnowBe4 suggested that cyber training more staff and fostering a security-conscious culture across the organisation could help crack down on future hacks.

“By doing so, organisations can better safeguard their customers’ trust while mitigating the impact of potential breaches,” he added.

Erfan Shadabi, cybersecurity expert at comforte AG added that the enormous amount of personal and private data the leisure and travel industry collects from customers is viewed as a “potential gold mine” for cybercriminals.

“Every business in this industry should embrace that fact and implement the necessary protection to safeguard this data.

“Organisations need to adopt a data-centric approach to security. Protecting customer data doesn’t equate to just guarding it with strong perimeters around data repositories containing data at rest.

“It also means applying protection directly to the data itself, in motion and at rest. Data-centric security methods such as tokenisation and format-preserving encryption obfuscate sensitive data elements while enabling organisations to work with data in its protected state.”