口头答复 · 2023-11-22 · 第 14 届国会
购物会员数据泄露事件质询
Data Security Incident Involving Personal Data of Members of Shopping Loyalty Programme
议员质询关于新加坡奢侈度假村运营商购物会员数据泄露事件的报告时间及延迟通知原因。通讯及资讯部长回应事件已按规定时间向监管机构报告,解释延迟通知因需优先控制泄露、评估影响及确认通知要求。监管机构正调查事件是否对个人造成重大伤害及通知是否及时。
关键要点
- • 事件按规定及时报告
- • 延迟通知因优先控制泄露
- • 监管机构正在调查
重视数据保护,严格执法
关注通知延迟及调查进度
强化数据泄露管理规范
"Singapore takes breaches of personal data seriously."
参与人员(3)
完整译文(中文)
Hansard 英文原文译文 · 翻译日期:2026-05-02
9号议员Hany Soh向通讯及资讯部长提问,关于涉及新加坡一家豪华度假村运营商经营的购物忠诚度计划约655,000名会员个人数据的数据安全事件,(a)该事件是否已向有关当局报告,如已报告,何时报告;(b)向当局说明延迟三周通知受影响会员的原因是什么。
通讯及资讯部长(Josephine Teo女士)答复:议长先生,2023年11月7日,滨海湾金沙(MBS)宣布其客户忠诚度计划会员数据于2023年10月19日和20日遭到泄露。MBS随后已通知受影响的个人。
新加坡非常重视个人数据泄露事件。《个人数据保护法》(PDPA)要求所有组织采取合理的安全措施,保护其持有或控制的个人数据,防止未经授权的访问、披露或修改。《PDPA下管理及通知数据泄露指南》明确规定了组织必须遵守的时间表和要求。
MBS于2023年10月20日发现数据泄露,并于2023年10月24日通知个人数据保护委员会(PDPC)。这符合上述指南中规定的向PDPC通知的时间要求。
议员可能会问为何不要求立即通知。这主要是因为在发现数据泄露后的通常后续处理中,组织通常需要完成四项工作。
第一,必须立即采取措施遏制泄露,这是首要任务。第二,必须尽最大努力评估数据泄露导致的数据损失的程度和范围。第三,必须评估是否符合通知要求,如符合,则必须进行报告。第四,必须评估遏制措施是否有效和安全。
因此有这四个步骤,由于优先考虑遏制和评估,PDPC允许组织在向PDPC提交通知报告前有一定时间。
基于此背景,我向议员保证,PDPC正在对此事件进行调查,将确定是否对受影响个人造成重大伤害,以及受影响个人是否及时获知。PDPC将在适当时候公布调查结果。
议长先生:Hany Soh女士。
Hany Soh女士(Marsiling-Yew Tee选区):感谢部长对我的议会提问的答复。我有几个补充问题。
首先,关于PDPC的调查结果,我们是否有预计完成时间?调查结果是否会随后向公众公布?
其次,MBS向PDPC报告后,PDPC是否收到受影响会员的任何报告,特别是此次事件对这些会员的影响,以及是否有进一步协助?
第三,关于是否考虑由相关部委或PDPC对持有大量个人数据的组织施加更具体或更严格的义务,例如通过许可条件(如适用)?
Josephine Teo女士答复:议长先生,感谢议员的补充问题,我将逐一回答。
首先,关于调查结果是否会公开——答案是肯定的。至于需要多长时间,这取决于调查的复杂性,因此难以提前确定具体时长。
第二个问题是是否有受影响的MBS会员进行后续报告。PDPC收到两名受影响会员的报告,他们主要是提醒PDPC注意此事,以防尚未通知或PDPC尚未知晓该泄露事件。其次,他们也要求PDPC追究MBS对此次泄露的责任,PDPC本来就打算这样做。
关于MBS如何协助受影响会员,首先,最重要的是让会员了解此次泄露涉及哪些类型的数据。MBS在通知受影响会员时,明确说明泄露的数据类型包括姓名、联系方式、居住国家、会员编号及会员等级。这是MBS能够确认的泄露范围。
此外,MBS还向受影响会员提供了如何保护其MBS账户及其他个人信息的建议。作为负责任的措施,MBS提供了一个联系方式,供受影响会员后续查询和澄清其他相关事项。
第三个问题涉及持有大量数据的组织。我们目前的立场是,当组织持有大量不同类型的个人数据或更敏感的数据(如保险、医疗和金融数据)时,要求更高标准的个人数据保护。
在这种情况下,组织必须按照PDPC发布的《信息与通讯技术(ICT)系统数据保护实践指南》实施加强的数据保护措施。
此外,PDPC已发布关于数据保护条款执法的指导方针,明确指出未能为大量敏感个人数据采取足够保障措施,可作为加重处罚的因素。我希望以上答复能解答议员的问题。
英文原文
SPRS Hansard 原始记录 · 抓取日期:2026-05-02
9 Ms Hany Soh asked the Minister for Communications and Information with regard to the data security incident involving the personal data of about 655,000 members of a shopping loyalty programme operated by a luxury resort operator in Singapore (a) whether the incident was reported to the authorities and, if so, when was it reported; and (b) what was the reason provided to the authorities for the three-week delay in notifying affected members.
The Minister for Communications and Information (Mrs Josephine Teo) : Mr Speaker, on 7 November 2023, Marina Bay Sands (MBS) announced a breach of its customers' loyalty programme membership data that took place on 19 and 20 October 2023. MBS has since notified affected individuals.
Singapore takes breaches of personal data seriously. The Personal Data Protection Act (PDPA) requires all organisations to put in place reasonable security measures to protect the personal data in their possession or control, to prevent unauthorised access, disclosure or modification. The Guide on Managing and Notifying Data Breaches under the PDPA sets out clear timelines and requirements that organisations must comply with.
MBS discovered the data breach on 20 October 2023, and notified the Personal Data Protection Commission (PDPC) on 24 October 2023. This meets the timeframes for notification to PDPC as set out in the earlier mentioned guide.
The Member may ask why notifications are not required to be made immediately. That is really because in the usual follow-up to the discovery of a data breach, there are usually four things that we would like the organisations to undertake.
First is that they must immediately seek to contain the breach. So, that is the immediate priority. The second is that they must then make best efforts to assess the degree and the extent to which the data breach has resulted in loss of data. The third is then they must assess whether this falls within the requirements for notification, and if it does, then they must proceed to make the report. And the fourth is that they must then evaluate their containment efforts, whether they are secure.
So, there are these four steps, and because the priority is on containment and assessment, PDPC does give the organisation a little bit of time before they make the notification report to the PDPC.
With that as background, let me assure the Member that PDPC is conducting investigations into this incident. It will ascertain whether there was significant harm to affected individuals and correspondingly, whether affected individuals were notified in a timely manner. PDPC will provide their findings in due course.
Mr Speaker : Ms Hany Soh.
Ms Hany Soh (Marsiling-Yew Tee) : I thank the Minister for her response to my Parliamentary Question. I have a few supplementary questions in relation to that.
Firstly, in relation to the PDPC's investigation findings, do we have an estimated timeline as to when that will be completed and whether that would be subsequently published to the public for information?
Secondly, subsequent to the reporting by MBS to the PDPC, whether the PDPC has received any reports from members who are affected, especially, and how this particular incident has affected these members and whether any of them has been further assisted since then?
Thirdly, this is in relation to whether the Ministry or the PDPC would consider it necessary to impose further specific or enhancement of obligations to these organisations that possesses large volumes of personal data, for example, through licensing conditions, where applicable?
Mrs Josephine Teo : Mr Speaker, I thank the Member for her supplementary questions. Let me try to address them in turn.
The first is on whether the findings of its investigations will be made public – the answer is yes. As to how long that will take, it goes to the complexity of the investigations. And so, it is difficult to say in advance what the duration is likely to be.
Her second question relates to whether there were any follow-ups from affected members of MBS. The PDPC received reports from two of those members who were affected. Essentially, they wanted to draw the PDPC's attention to this, in case it was not notified, or it was not yet aware of the breach. And the second is that they also asked that the PDPC take MBS to account for this breach which, of course, the PDPC intended to do in any case.
As to how these affected members were being assisted by MBS, I think, in the first place, it is most important for the members to know what types of data have been accessed or revealed as a result of this breach. And so, when MBS notified the affected members, it did clarify that the types of personal data that were revealed, included the name, contact information, country of residence and membership number as well as tier. This was the extent of the breach that the MBS was able to ascertain.
It further provided advice to the affected members on how they could safeguard their accounts with MBS, as well as other kinds of personal information. As a responsible measure, they provided a contact for follow-up enquiries, in case the affected members wanted to clarify on various other aspects.
Ms Soh's third question had to do with the organisations that could be in possession of large volumes of data. Our position today already states that a higher standard of personal data protection is required when organisations hold large quantities of different types of personal data or hold data that might be more sensitive, such as insurance, medical and financial data.
In such cases, organisations are required to implement enhanced data protection practices as stipulated in the PDPC's guide to data protection practices for information and communications technology (ICT) systems.
In addition, the PDPC has issued an advisory guideline on enforcement for data protection provisions that makes clear that failure to put in place adequate safeguards for large volumes of sensitive personal data can be taken as an aggravating factor in calculating the level of penalties to be imposed on an organisation. I hope that addresses the Member's questions.