In this landmark case, the Personal Data Protection Commission formulates a methodology for applying the increased financial penalties under the Personal Data Protection Act 2012.

Insights

PDPC Applies New Penalty Framework in Landmark Case

Date
October 31, 2025
Author
OrionW

The Personal Data Protection Commission (PDPC) has fined Marina Bay Sands Pte Ltd (MBS) SGD 315,000 for failing to safeguard personal data in accordance with the Personal Data Protection Act (PDPA). This marks the first financial penalty issued under the revised penalty framework.

Background

In October 2023, personal data, including names and contact details, of more than 660,000 individuals were illegally accessed and offered for sale on the dark web.  A threat actor gained unauthorised access to 6 customer accounts through “password spraying”, whereby the same password was used on many accounts until access was obtained. The 6 compromised accounts were then used to access data of other members. This was only possible because of a misconfiguration error during MBS’s software migration exercise.

Commission’s Findings

The PDPC concluded that MBS negligently breached the Protection Obligation by failing to implement reasonable safeguards to mitigate foreseeable risks during its API replication process.  In essence, where a risk to personal data is reasonably foreseeable, and the measures to reduce or eliminate that risk fall below the standard expected of a reasonable organisation, the breach is deemed negligent.  In this case, a weak default password policy and a misconfiguration during migration rendered intended access controls ineffective, enabling unauthorised access through password spraying and exposing sensitive personal data.  

New Financial Penalty Framework

The PDPC imposed a financial penalty of S$315,000 on MBS for breaching the Protection Obligation. In determining the amount, the PDPC formulated a Financial Penalty (FP) Framework based on increased penalties under the Personal Data Protection (Amendment) Act 2020.  The framework is guided by four principles: ensuring deterrence and proportionality, balancing individual privacy rights with legitimate business needs, maintaining consistency across similar cases and applying the rules to the unique facts of each case.

The PDPC’s FP Framework is summarised below.

PDPC’s FP Framework Application to MBS
Description Explanation
Preliminary Step Statutory maximum financial penalty
(Statutory Max FP) 		An organisation with an annual turnover* of more than S$10 million has a Statutory Max FP of 10% of the total annual turnover. On the other hand, an organisation with an annual turnover of below S$10 million has a Statutory Max FP of S$1 million. MBS is in the High Turnover Class.
Maximum financial penalty for any given case
(Case Max FP) 		In general, intentional contraventions will attract a higher percentage rate than negligent contraventions. As the breach is negligent, the Case Max FP is set at 10% of MBS’s annual turnover.
5-Step Methodology Step 1
Identifying the level of culpability and harm 		Culpability is rated as low, medium or high based on factors such as the nature, gravity and duration of non-compliance, the extent of negligence and any planning or intent.

Harm is classified as slight, moderate, or severe, considering the sensitivity of the data involved, the number of individuals affected, the actual harm caused and the risks to personal data arising from the breach. 		Level of culpability – low
Level of harm - moderate
Step 2
Calculating the Starting FP 		The approximate starting financial penalty (Starting FP) will be determined based on the level of culpability and harm assessed in Step 1. Starting FP is in the low-moderate band.
Step 3
Aggravating and mitigating factors 		The Starting FP will be adjusted to account for aggravating and mitigating factors. Considered multiple mitigating factors in MBS’s favour.
Step 4 Impact of the financial penalty on the organisation The PDPC will determine if the financial penalty will impair the organisation’s ability to continue its usual activities. The financial penalty of S$315,000 would not adversely affect MBS’s ability to continue its usual activities.
Step 5 Final adjustment This step ensures the financial penalty remains proportionate while serving as an effective deterrent. No further adjustment is required.

*The organisation’s annual turnover is to be ascertained from its most recent audited accounts at the time the financial penalty is imposed, and not when the contraventions were committed.  

Conclusion

Higher financial penalties highlight the critical need for PDPA compliance.  By linking penalties to turnover and applying a structured, principle-based approach, the FP Framework promotes fairness while deterring breaches.  This case reinforces that data protection is a business imperative –  organisations should implement robust data protection compliance programs promptly to avoid costly penalties and safeguard trust.

For More Information

OrionW regularly advises clients on data protection matters.  For more information about how to comply with the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at info@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.

Newsletter

Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Please read our Privacy Policy. You can unsubscribe at any time.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
contact us
OrionW LLC
Level 37, 16 Collyer Quay
Collyer Quay Centre
Singapore 049318

OrionW is a boutique law firm specialising in Singapore and cross-border corporate, commercial and regulatory matters, with a focus on technology, media and telecommunications (TMT) and financial technology (FinTech). We are dedicated to providing excellent legal service to clients at the leading edge of their markets.

OrionW LLC (UEN 201505714C) is a Singapore law practice incorporated with limited liability.