Decisions where data breaches occurred due to failure of companies to carry out necessary controls and not take administrative and technical measures are listed below:
Summary of the Decision of the Personal Data Protection Board dated 18/06/2019 and numbered 2019/170 on “About a data breach notification of a retail clothing company”
- In the data breach suffered by the retail clothing company, it is an indication that the Company does not have log recording / tracking alarm systems or is not used effectively and the necessary controls are not made by the Company,
- Since it was concluded that the personal data being seen by third-party vendors/providers via the URL is an indication that the tests performed during the web page design phase were insufficient or that the necessary tests were not carried out, the inadequacy of the tests performed while the web page was designed during the design phase and the lack of tracking/alarm systems for the transactions realized delayed the detection of violations. It has been decided to impose an administrative fine of 50,000 TL on the company.
Summary of the Decision of the Personal Data Protection Board dated 11/02/2020 and numbered 2020/113, “About the data breach notification of a company providing electronic sales services”
For the company that provides electronic sales services, penetration tests are performed after the breach, there are vulnerabilities such as SQL Injection and Cross Site Scripting that may cause access to critical information in the pre-breach systems, application traffic can be easily listened due to the absence of an SSL Certificate defined in the mobile application, policies and response plans are available. Considering that it was created after the breach occurred, that corporate training and awareness activities were not organized before the data breach occurred, and that the data breach could only be detected as a result of the person committing the data breach contacting the data controller, the board informed the company. It has been decided to impose an administrative fine of 200.000 TL. The importance of having a penetration test and the necessity of having data protection and destruction policies within the company are revealed in the decision at hand.
Summary of the Decision of the Personal Data Protection Board dated 03/03/2020 and numbered 2020/201 “About a bank's data breach notification”
- The breach occurred as a non-transactional and registered in the Bank's system, sending of 905 notifications (e-mail and text message) to the relevant customers, regarding the completion of the financing installment payment collections of the company customers, as a result of the breach, the relevant persons; Personal data such as identity (name-surname), customer transaction (current account number, financing account number, transaction date) and financial information (financing installment number, financing installment amount, financing installment date) are affected,
It has been concluded that the reason for this violation is that the control mechanism placed to check whether the bank's "Notification" application system is broken as a result of error or intentionally, is not at a sufficient level, such errors should be detected during the testing phase and the changes should be corrected before they are published. Due to failure to take the necessary precautions and insufficient control of the parameters, an administrative fine of 75,000 TL was imposed on the bank by the board.
Another decision emphasizing the importance of all employees receiving personal data protection training is the decision of the Personal Data Protection Board dated 07/05/2020 and numbered 2020/357 "About a data breach notification of an insurance company". In this decision, it was determined that a data breach occurred as a result of the subcontractor employee's sending the list of name-surname, contact and license plate information kept in the systems from the assigned corporate e-mail address to his personal e-mail address on 22.10.2019 and 24.10.2019, When it was evaluated that the data leak prevention application was designed to catch certain keywords, but no warning was generated since the breach subject to the data leak did not contain these keywords, an administrative fine of 90,000 TL was imposed on the company by the board.
In the Summary of Decision of the Personal Data Protection Board dated 09/07/2020 and numbered 2020/530, "About a bank's data breach notification";
10,529 ENT inquiries were made for 1,052 persons due to the fact that the employee was not restricted from making high amounts of inquiries. It was stated that the personal data of 23 people in total were affected.
The board decided to impose an administrative fine of 200,000 TL on the grounds that the "Personal Data Protection Law Training" given by the data controller is not sufficient.
In the Summary of Decision of the Personal Data Protection Board dated 22/07/2020 and numbered 2020/567, “About the data breach notification of a toy retailer data controller”;
- User identities need to be verified in order to ensure data security regarding access to personal accounts, and considering that the data controller plans to publish the two-factor authentication method (SMS/Captcha), which is one of the security measures to be taken before the data breach, after the data breach, the necessary technical measures to ensure data security are taken by the data controller. not received,
- When the passwords of the accounts of the persons affected by the breach are examined, the passwords used by the customers can only consist of numbers or only strings of letters, and customers are not forced to create strong passwords when opening an account,
- Considering that the attackers could gain unauthorized access to a certain amount of accounts until the web application firewall (WAF) detects whether the unauthorized access process is an attack or normal user login during the breach by the data controller, an administrative fine of 75,000 TL was imposed on the grounds that the data controller could not provide application security. seen.
This decision, which draws attention to the importance of forcing customers to create strong passwords, is a precedent. In addition to two-factor security measures, data controllers must also take precautions such as authentication and strong passwords.
In the decision of the Personal Data Protection Board dated 17/09/2020 and numbered 2020/715, “About the data breach notification of an e-commerce company”;
It has been noted that data controllers do not ensure that users change their passwords at certain time intervals. While the rule definition of preventing successful login with the same IP on the "Web application firewall" [WAF (Web Application Firewall)] should be obtained before the data breach occurs, the data It was decided to impose an administrative fine of 165,000 TL after it was evaluated that it was taken after the violation took place.
Summary of the Decision of the Personal Data Protection Board dated 20/01/2020 and numbered 2020/50, “About a data breach notification of a retail clothing company”
- The fact that the data breaches that took place on 01.08.2018 and 21.10.2018 were detected on 02.07.2019, approximately one year later, that the Company does not have a log record/tracking alarm system for the transactions performed or that they are not used effectively and as required by the Company. it is an indication that the controls are not done,
- Since it is believed that the personal data being seen by third-party vendors/providers via the URL is an indication that the tests performed during the web page design phase are insufficient or the necessary tests are not performed, the tests performed while the web page is in the design phase are insufficient, It has been decided to impose an administrative fine of 50.000 TL due to the late detection of violations due to the lack of tracking/alarm systems regarding the transactions.
Summary of the Decision of the Personal Data Protection Board dated 05/05/2020 and numbered 2020/345 "About the data breach notification of the data controller operating in the field of computer games"
In this decision summary published,
Determining the roles and responsibilities of all employees regarding personal data security in their job descriptions,
High awareness of employees,
It was concluded that the corporate culture to be created should be arranged in accordance with the principle of "Everything is Forbidden Unless Allowed".
Employees' training on issues such as protecting personal data and not sharing it unlawfully is of great importance in preventing data breaches.
Furthermore, in the decision in peace;
Although it was stated by the data controller that many policies of the data controller were signed by the personnel, it was stated that the employee's copying of files, including personal data, to his own portable storage device was an indication that the policies were not implemented effectively and did not provide sufficient effect on awareness.
The data breach occurred when the data controller and a former employee uploaded the folder containing the source code and data files to github.com (GitHub) without authorization, following the termination of the employment relationship with the former employee, and the source codes of the former employee are also available on github. com website is a security vulnerability, these source codes may be analyzed by unauthorized third parties and cause other security vulnerabilities.
The date of the violation was 19.04.2017, the detection date was 09.01.2019, and the date of notification to the Authority was 28.02.2019. After almost 2 years, the security checks were carried out regularly on 09.01.2019. It has been determined that it is not done. It has been decided to impose an administrative fine of 100.00 TL on the data controller for not taking the necessary administrative and technical measures, and an administrative fine of 130.000 TL, which is 30.000 TL for acting in violation of the obligation to notify as soon as possible.
İlgili 2 kararda veri sorumlularının sorumluluklarını yerine getirmemesi nedeniyle çok ağır cezalar alındığı görülmektedir.
Veri sorumlularının içeriden ya da dışarıdan gelen saldırılar ve siber suçlarla mücadele etmeleri için;
1-Bilişim ağlarında hangi yazılım ve servislerin çalıştığının kontrol edilmesi
2-Bilişim ağlarında sızma veya olmaması gereken bir hareket olup olmadığının belirlenmesi,
3-Tüm kullanıcıların işlem hareketleri kaydının düzenli olarak tutulması (log kayıtları gibi),
4-Güvenlik sorunlarının mümkün olduğunca hızlı bir şekilde raporlanması,
5-Çalışanların sistem ve servislerdeki güvenlik zaafiyetlerini ya da bunları kullanan tehditleri bildirmesi için resmi bir raporlama prosedürü oluşturulması, gerekmektedir.
Bunlara ek olarak idari ve teknik tedbirleri geç olmadan almaları zorunludur.
Summary of the Decision of the Personal Data Protection Board dated 07/05/2020 and numbered 2020/359 "About a bank's data breach notification"
Veri sorumlusu bankanın eski çalışanın 5695 TC kimlik sorgusu yaptığı, bu sorguların 2028’inin Banka müşterilerine ait olduğu 2851’inin Banka müşterisi olmadığı,
Veri ihlalinin ancak 1 yıla yakın süre sonra tespit edilebilmesi,
Veri sorumlusu tarafından ihlal öncesi yapılması gereken; kullanıcı bazında log kayıtlarında yetki sınırlaması, ekranların gereksiz rollere kapatılması, kişisel verilerin korunması ile ilgili uyarı metnine yer verilmesi gibi kullanıcı yetki ve rollerine yönelik kontrollerin ve düzenlemelerin ihlal sonrasında gerçekleştirilmiş olmasının ihlalin öncesinde ilgili idari ve teknik tedbirlerin yeterince alınmadığının göstergesi olduğu,
Veri ihlali sonrasında 250 üzerinde sorgulama yapan kullanıcılarının kamera kayıtları incelenerek veri ihlali oluşturacak bir durum kontrol edilse de ihlal öncesi böyle bir kontrol ve sınırlama yapılmaması,
Veri sorumlusuna ait çalışanların %86’sının eğitim almalarına rağmen kalanlarına tevsik edici belge gönderilmemesi, hususları dikkate alındığında kurul tarafından 400.000 TL idari para cezası uygulanmasına
Among the 5695 people affected by the data breach, only those with contact information in the Bank were notified of the data breach, in this context, reasonable efforts were not made to notify all of the data breaches, and the number of people who were notified of the breach despite being requested by the Agency and whether these people were customers of the Bank. It has been decided to impose an administrative fine of 50.000 TL in accordance with the issues that the Authority was not informed; an administrative fine of 450.000 TL in total.
Summary of the Decision of the Personal Data Protection Board dated 22/05/2020 and numbered 2020/421 "About a data breach notification of a data controller operating in the personal care sector"
- The breach occurred on 04.03.2020, the aforementioned person or persons tried their e-mail password information on the site by connecting from more than 14,000 IPs and tried another e-mail/password after each attempt,
- As a result of the examination made by the data controller, as a result of these attempts, 2092 users were successfully logged into their accounts,
- Considering the fact that the name-surname, e-mail, mobile phone, gender, birthday, delivery/invoice addresses and order history information of the data controller customers were affected by the violation, it was decided to impose an administrative fine of 210.000 TL.
Summary of the Decision of the Personal Data Protection Board dated 16/06/2020 and numbered 2020/463, "About a data breach notification of a data controller operating in the pharmaceutical industry"
A multinational company working on sensitive personal data should perform penetration tests and risk analyzes for such attacks, identify threats, close security gaps, and take measures to ensure data security by tracking log records.
Personal Data Security Guidelines 3.6. in the article; Under the heading "Backup of Personal Data"; “…there may be malware that forces the data controller to pay a ransom. It is recommended to develop data backup strategies to ensure personal data security against such malicious software. On the other hand, backed up personal data should be accessible only by the system administrator, and data set backups should be kept out of the network. Otherwise, the use of malicious software on the backups of the data set or the deletion and destruction of the data may be faced with…” Considering that it constitutes a violation of the statements, the board decided to impose an administrative fine of 125,000 TL.
Data breach notification of a data controller providing enterprise software services in technology;
Password spraying attacks occur in which the passwords of users accessing a large number of accounts using weak passwords are obtained by the attackers by password guessing,
Theft of more than 6 TB of data in a share drive is due to the large amount of data stored on this share drive,
In addition to receiving an administrative penalty of 75,000 TL, it was decided to impose an administrative fine of 125,000 TL in total, for which the company received an additional 50,000 TL penalty for not complying with the 72 hour notice after 55 days.
In this period when data breaches are very intense, companies are required to act in accordance with the obligation of "notifying as soon as possible" in paragraph 5 of Article 12 of the KVKK.
"About the notices regarding the unlawful access of the personal data in the enforcement proceedings files by the Ministry of Justice with the help of the personnel working in the enforcement offices, and the unlawful transfer of the personal data in the enforcement proceedings files of the debtors to the attorneys representing the creditor," 20/20 of the Personal Data Protection Board. Summary of Decision dated 05/2021 and numbered 2021/511-512-513
- Within the framework of Article 85 of the Execution and Bankruptcy Law No. 2004, the debtor's own or a third party's receivables can be seized, and the debtors' property, rights or receivables can be questioned by the creditor through the National Judicial Network Information System pursuant to Articles 8/a and 78 of the Law No. According to Article 46 of the Attorneyship Law No. 1136, the creditor's attorney can examine the case and enforcement proceedings files without presenting a power of attorney, and in this context, on the condition that the processing regulated in subparagraph (a) of the second paragraph of Article 5 of the Law No. Since the debtor may carry out personal data processing activities regarding the execution files to which he is a creditor, a business to be carried out within the scope of Law No. there is no problem,
- Article 2 of the Attorneyship Law No. 1136 regulates that the relevant authorities are obliged to submit the information and documents that lawyers need to perform their duties to lawyers for review, and in this context, the "Personal Provisions in other laws regarding the transfer of data are reserved. Pursuant to the regulation, the Ministry of Justice may transfer personal data to attorneys to perform their duties in order to provide information and documents about the execution files to which the debtor is owed by the personnel working in the enforcement agency, by the Ministry of Justice, to the attorneys of the creditor's attorneys. It has been decided that there is no action to be taken within the scope of the Law No. 6698 in terms of the alleged transfer of illegality.
Decisions show that; Although institutions and organizations carry out their activities entirely on technology, they may still encounter data breaches. Considering all of these, it is necessary to correctly determine the possibility of the risks that may arise regarding the protection of data and the losses to be caused in case of realization, and take appropriate measures. After defining and prioritizing these risks; Control and solution alternatives should be put into practice to reduce or eliminate the said risks.
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.