Bay view of Marina Bay Sands resort showing data breach

Data Breach at Singapore’s Marina Bay Sands Resort Involves Personal Data of 665,000 Loyalty Program Members

A recent data breach at the Marina Bay Sands resort has seen personal data for about 665,000 guests leaked to as-of-yet unknown attackers, in an incident that has echoes of the recent major breaches in Las Vegas.

As with the MGM and Caesars attacks, the hackers appear to have accessed loyalty program information. However, the attack appears to be limited to the “Sands LifeStyle” reward program that offers rebates on hotel stays and attractions; the “Sands Rewards Club” program for casino play does not appear to be impacted.

Data breach at leading Singapore resort impacts hotel guests

The Marina Bay Sands is a sprawling waterfront resort that is home to a casino, a 2,500-room hotel, a convention center, a shopping mall and numerous other attractions. The property maintains two different loyalty programs: the Sands LifeStyle program offers discounts and rewards for essentially all of the non-casino spend available on the property, while the Sands Rewards Club is specifically for gaming.

It is the former that appears to have been impacted by this data breach, which appears to be similar to the ones that struck both MGM and Caesars in recent months. However, the perpetrator and method of attack have not yet been confirmed. What is known is that about 665,000 Sands LifeStyle program members have had some amount of personal data connected with those accounts compromised: names, email addresses, phone numbers, country of residence, membership number and current program tier. There is not yet any indication that financial information or more sensitive identification information was compromised. Marina Bay Sands has said that it is individually informing impacted customers.

A data breach report filed by the resort indicates that it took place on October 19 and 20. A spokesperson for Marina Bay Sands has said that internal security became aware of the data breach on October 20 and took immediate action to cut off access. A notification to customers also indicates that Singapore law enforcement agencies have been engaged.

The resort does not publish numbers of how many Sands LifeStyle members there are, but its notification also said that only “some” members were impacted; recent estimates have found that the resort sees about 45 million visitors per year.

The public could really use much more information about who the perpetrators are, but given the limited scope of contact information it would appear the central threat from this data breach would be targeted phishing attempts. Attackers will likely mock up communications from Marina Bay Sands, using customer personal information and membership numbers or tiers to add legitimacy to the attempt. Though there is no indication that any of the Sands Macau properties were involved in this breach, the attackers may also target those customers in the hope of finding member overlap.

Details of Sands attack raise speculation about “Scattered Spider” involvement

Any attack on a casino-hotel from this point forward is going to raise natural speculation about the involvement of “Scattered Spider,” particularly when loyalty program information is targeted. Also referred to as UNC3944 or 0ktapus, the hacking group first emerged over a year ago and has since grown to become a leading financial threat on the strength of its social engineering (performed over the phone by native English speakers seemingly based in the US or UK/EU) and its ability to execute SIM swap attacks to compromise employee phones.

Given that English is widely spoken in Singapore, it is entirely possible that Scattered Spider could leverage those skills to attack a local business (possibly by pretending to be from the Las Vegas Sands corporate headquarters). However, it is at least equally possible that this is either a copycat attack, or that the targeting of another casino is just a coincidence. While Scattered Spider did steal some sensitive personal information from the Vegas casinos it compromised, the real money it made was from deploying ransomware during the data breach and causing chaos throughout the properties for extended periods. It will be interesting to learn if there was a thwarted attempt to deploy ransomware at Marina Bay Sands, or if the attackers simply exfiltrated customer data until they were kicked out of the network. The latter would strongly suggest that it is a different group.

The Caesars and MGM data breaches ultimately cost $15 million and $100 million respectively, but that was almost entirely due to the use of ransomware. Sean Deuby, Principal Technologist at Semperis, notes that this attack is very likely to be much less costly based on what we currently know about it: “The silver lining in this most recent breach is that hackers don’t appear to have walked away with the crown jewels of personally identifiable information such as social security numbers and credit card data … Most data breaches of this nature lead to material losses for the organization, its employees and customers. While the hotel is still assessing the magnitude of losses, the good news is that Marina Bay has a seasoned security team in place, and they will close any gaps and return the hotel and casino to full capacity as quickly as possible. I’m certain Marina Bay focuses regularly on the resiliency of their systems and run tabletop exercises that enables them to harden critical systems before attacks occur. This strategy helps reduce losses in times of crisis.”

Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ, offers some advice for a hospitality industry that is likely to see even more attacks of this nature in the near future: “Organizations in the hospitality and entertainment industry that deal with sensitive customer information need to safeguard their data with a threat-informed defense system. Although it is important to employ continuous evaluation of existing controls to uncover any gaps that threat actors can exploit, it is imperative to adopt a more proactive approach. Studying the common tactics, techniques, and procedures used by common threat actors will allow organizations to test their cyber defenses, building a more resilient security detection, prevention, and response program.”

And though this may well end up not being a particularly damaging data breach, Alastair Williams (Vice President of Worldwide Systems Engineering at Skybox Security) notes that it is an appropriate prompt to review defensive posture: “In the wake of the recent Marina Bay Sands data breach, organizations need to reevaluate and enhance their cybersecurity posture to safeguard against potential vulnerabilities that could expose customers to social engineering attacks. While conventional security measures like spam filters and endpoint detection and response mechanisms can make it harder for malicious actors to breach an organization’s defenses, these measures alone may fall short of providing comprehensive protection. Individuals must be well-informed about identifying and mitigating the risks associated with social engineering and phishing scams. Organizations should kickstart this process by adopting a holistic approach that encompasses a comprehensive view, modeling, and visualization of their entire attack surface, including IT and OT environments and all of their connections.”

“Organizations should not limit themselves to active scanning alone; they should incorporate scanless detection techniques as well. This choice leads to continuous, non-intrusive discovery, even on assets that cannot be actively scanned, such as routers, switches, and sensitive OT devices, effectively filling the gaps between active scan events on scannable assets. To further fortify their cybersecurity measures, organizations should ensure they have solutions in place that can quantify the business impact of cyber risks in terms of their economic consequences. This approach aids in the identification and prioritization of the most critical threats, taking into consideration factors like the size of the financial impact and other risk analyses, including exposure-based risk scores,” advised Williams.