Singapore’s Marina Bay Sands is the latest casino-hotel complex to suffer a major data breach, and like the recent Vegas incidents it involves stolen loyalty program information. However, it does not appear to have involved ransomware and there is not yet any indication that the “Scattered Spider” group is the culprit.
The resort has two different loyalty programs, basically divided between casino play and all other types of activity on the property (such as hotel stays and dining). The casino play element of the program appears to be untouched, and there is no indication any financial information was taken. Members of the other loyalty program, “Sands LifeStyle,” have had basic contact information connected to the account leaked.
Was the Sands data breach another “Scattered Spider” strike?
Just based on the information that has been released thus far, it seems unlikely that this was another “Scattered Spider” incident. The unusual hacking group is thought to be based in the West and makes use of its native English language capability and research into target company protocols to attack with convincing social engineering calls. It’s unclear if that is what happened here; it’s always possible that someone simply left a misconfigured database facing the open internet, and it’s just a coincidence that it happened to another casino after breaches at MGM and Caesars.
The biggest piece of evidence against it being Scattered Spider is the lack of ransomware. The breach window reportedly lasted from October 19 to October 20, with Sands security learning about it and taking active measures on the second day. That should have been enough time for the group to deploy ransomware, but there are no reports of anything but basic loyalty program contact info being exposed.
Whether or not it was Scattered Spider, the hospitality industry has become a strong focus for criminal hackers due to its large collections of personal data paired with payment and state or national identification information.
Sands LifeStyle data breach impacts guests that shopped, dined or stayed at Marina Bay Hotel
While casino-goers don’t have to worry about their personal information, the data breach potentially impacts any Sands LifeStyle reward member. The company would only say that about 665,000 members, or “some” of its total loyalty program base, were impacted.
Though it appears that only the Marina Bay Sands was hit by this data breach, members of loyalty programs at the company’s various Macau properties may also want to be on the lookout for targeted phishing emails that may appear to be legitimate and contain convincing personal details. The personal information that was stolen will not get attackers far by itself, but is ideal for forging authentic-looking communications from the Sands corporation; as always, URLs should be carefully scrutinized for authenticity (and ideally not clicked on from unsolicited text messages or emails), and any attachments purporting to be from the company approached with extreme caution.