口頭答覆 · 2023-11-22 · 屆國會 14
購物會員資料洩露事件質詢
議員質詢關於新加坡奢侈度假村運營商購物會員資料洩露事件的報告時間及延遲通知原因。通訊及資訊部長回應事件已按規定時間向監管機構報告,解釋延遲通知因需優先控制洩露、評估影響及確認通知要求。監管機構正調查事件是否對個人造成重大傷害及通知是否及時。
關鍵要點
- • 事件按規定及時報告
- • 延遲通知因優先控制洩露
- • 監管機構正在調查
重視資料保護,嚴格執法
關注通知延遲及調查進度
強化資料洩露管理規範
“Singapore takes breaches of personal data seriously.”
參與人員 (3)
- Hany Soh
- Josephine Teo
- Minister for Communications and Information
完整譯文(中文)
Hansard 原始記錄 · 2026-05-02
9號議員Hany Soh向通訊及資訊部長提問,關於涉及新加坡一家豪華度假村運營商經營的購物忠誠度計劃約655,000名會員個人資料的資料安全事件,(a)該事件是否已向有關當局報告,如已報告,何時報告;(b)向當局說明延遲三週通知受影響會員的原因是什麼。
通訊及資訊部長(Josephine Teo女士)答覆:議長先生,2023年11月7日,濱海灣金沙(MBS)宣佈其客戶忠誠度計劃會員資料於2023年10月19日和20日遭到洩露。MBS隨後已通知受影響的個人。
新加坡非常重視個人資料洩露事件。《個人資料保護法》(PDPA)要求所有組織採取合理的安全措施,保護其持有或控制的個人資料,防止未經授權的訪問、披露或修改。《PDPA下管理及通知資料洩露指南》明確規定了組織必須遵守的時間表和要求。
MBS於2023年10月20日發現數據洩露,並於2023年10月24日通知個人資料保護委員會(PDPC)。這符合上述指南中規定的向PDPC通知的時間要求。
議員可能會問為何不要求立即通知。這主要是因為在發現數據洩露後的通常後續處理中,組織通常需要完成四項工作。
第一,必須立即採取措施遏制洩露,這是首要任務。第二,必須盡最大努力評估資料洩露導致的資料損失的程度和範圍。第三,必須評估是否符合通知要求,如符合,則必須進行報告。第四,必須評估遏制措施是否有效和安全。
因此有這四個步驟,由於優先考慮遏制和評估,PDPC允許組織在向PDPC提交通知報告前有一定時間。
基於此背景,我向議員保證,PDPC正在對此事件進行調查,將確定是否對受影響個人造成重大傷害,以及受影響個人是否及時獲知。PDPC將在適當時候公佈調查結果。
議長先生:Hany Soh女士。
Hany Soh女士(Marsiling-Yew Tee選區):感謝部長對我的議會提問的答覆。我有幾個補充問題。
首先,關於PDPC的調查結果,我們是否有預計完成時間?調查結果是否會隨後向公眾公佈?
其次,MBS向PDPC報告後,PDPC是否收到受影響會員的任何報告,特別是此次事件對這些會員的影響,以及是否有進一步協助?
第三,關於是否考慮由相關部委或PDPC對持有大量個人資料的組織施加更具體或更嚴格的義務,例如通過許可條件(如適用)?
Josephine Teo女士答覆:議長先生,感謝議員的補充問題,我將逐一回答。
首先,關於調查結果是否會公開——答案是肯定的。至於需要多長時間,這取決於調查的複雜性,因此難以提前確定具體時長。
第二個問題是是否有受影響的MBS會員進行後續報告。PDPC收到兩名受影響會員的報告,他們主要是提醒PDPC注意此事,以防尚未通知或PDPC尚未知曉該洩露事件。其次,他們也要求PDPC追究MBS對此次洩露的責任,PDPC本來就打算這樣做。
關於MBS如何協助受影響會員,首先,最重要的是讓會員瞭解此次洩露涉及哪些型別的資料。MBS在通知受影響會員時,明確說明洩露的資料型別包括姓名、聯絡方式、居住國家、會員編號及會員等級。這是MBS能夠確認的洩露範圍。
此外,MBS還向受影響會員提供瞭如何保護其MBS賬戶及其他個人資訊的建議。作為負責任的措施,MBS提供了一個聯絡方式,供受影響會員後續查詢和澄清其他相關事項。
第三個問題涉及持有大量資料的組織。我們目前的立場是,當組織持有大量不同型別的個人資料或更敏感的資料(如保險、醫療和金融資料)時,要求更高標準的個人資料保護。
在這種情況下,組織必須按照PDPC釋出的《資訊與通訊技術(ICT)系統資料保護實踐指南》實施加強的資料保護措施。
此外,PDPC已釋出關於資料保護條款執法的指導方針,明確指出未能為大量敏感個人資料採取足夠保障措施,可作為加重處罰的因素。我希望以上答覆能解答議員的問題。
英文原文
SPRS Hansard · Fetched: 2026-05-02
9 Ms Hany Soh asked the Minister for Communications and Information with regard to the data security incident involving the personal data of about 655,000 members of a shopping loyalty programme operated by a luxury resort operator in Singapore (a) whether the incident was reported to the authorities and, if so, when was it reported; and (b) what was the reason provided to the authorities for the three-week delay in notifying affected members.
The Minister for Communications and Information (Mrs Josephine Teo) : Mr Speaker, on 7 November 2023, Marina Bay Sands (MBS) announced a breach of its customers' loyalty programme membership data that took place on 19 and 20 October 2023. MBS has since notified affected individuals.
Singapore takes breaches of personal data seriously. The Personal Data Protection Act (PDPA) requires all organisations to put in place reasonable security measures to protect the personal data in their possession or control, to prevent unauthorised access, disclosure or modification. The Guide on Managing and Notifying Data Breaches under the PDPA sets out clear timelines and requirements that organisations must comply with.
MBS discovered the data breach on 20 October 2023, and notified the Personal Data Protection Commission (PDPC) on 24 October 2023. This meets the timeframes for notification to PDPC as set out in the earlier mentioned guide.
The Member may ask why notifications are not required to be made immediately. That is really because in the usual follow-up to the discovery of a data breach, there are usually four things that we would like the organisations to undertake.
First is that they must immediately seek to contain the breach. So, that is the immediate priority. The second is that they must then make best efforts to assess the degree and the extent to which the data breach has resulted in loss of data. The third is then they must assess whether this falls within the requirements for notification, and if it does, then they must proceed to make the report. And the fourth is that they must then evaluate their containment efforts, whether they are secure.
So, there are these four steps, and because the priority is on containment and assessment, PDPC does give the organisation a little bit of time before they make the notification report to the PDPC.
With that as background, let me assure the Member that PDPC is conducting investigations into this incident. It will ascertain whether there was significant harm to affected individuals and correspondingly, whether affected individuals were notified in a timely manner. PDPC will provide their findings in due course.
Mr Speaker : Ms Hany Soh.
Ms Hany Soh (Marsiling-Yew Tee) : I thank the Minister for her response to my Parliamentary Question. I have a few supplementary questions in relation to that.
Firstly, in relation to the PDPC's investigation findings, do we have an estimated timeline as to when that will be completed and whether that would be subsequently published to the public for information?
Secondly, subsequent to the reporting by MBS to the PDPC, whether the PDPC has received any reports from members who are affected, especially, and how this particular incident has affected these members and whether any of them has been further assisted since then?
Thirdly, this is in relation to whether the Ministry or the PDPC would consider it necessary to impose further specific or enhancement of obligations to these organisations that possesses large volumes of personal data, for example, through licensing conditions, where applicable?
Mrs Josephine Teo : Mr Speaker, I thank the Member for her supplementary questions. Let me try to address them in turn.
The first is on whether the findings of its investigations will be made public – the answer is yes. As to how long that will take, it goes to the complexity of the investigations. And so, it is difficult to say in advance what the duration is likely to be.
Her second question relates to whether there were any follow-ups from affected members of MBS. The PDPC received reports from two of those members who were affected. Essentially, they wanted to draw the PDPC's attention to this, in case it was not notified, or it was not yet aware of the breach. And the second is that they also asked that the PDPC take MBS to account for this breach which, of course, the PDPC intended to do in any case.
As to how these affected members were being assisted by MBS, I think, in the first place, it is most important for the members to know what types of data have been accessed or revealed as a result of this breach. And so, when MBS notified the affected members, it did clarify that the types of personal data that were revealed, included the name, contact information, country of residence and membership number as well as tier. This was the extent of the breach that the MBS was able to ascertain.
It further provided advice to the affected members on how they could safeguard their accounts with MBS, as well as other kinds of personal information. As a responsible measure, they provided a contact for follow-up enquiries, in case the affected members wanted to clarify on various other aspects.
Ms Soh's third question had to do with the organisations that could be in possession of large volumes of data. Our position today already states that a higher standard of personal data protection is required when organisations hold large quantities of different types of personal data or hold data that might be more sensitive, such as insurance, medical and financial data.
In such cases, organisations are required to implement enhanced data protection practices as stipulated in the PDPC's guide to data protection practices for information and communications technology (ICT) systems.
In addition, the PDPC has issued an advisory guideline on enforcement for data protection provisions that makes clear that failure to put in place adequate safeguards for large volumes of sensitive personal data can be taken as an aggravating factor in calculating the level of penalties to be imposed on an organisation. I hope that addresses the Member's questions.