03 Jan, 2024

Data Breach Notification in CRM Application – MongoDB Limited

In summary, in the data breach notification submitted to the Personal Data Protection Board by MongoDB Limited, which is the data controller;

  • It was noticed on December 13, 2023 that a user account was making unusual and suspicious queries, and the investigation was deepened accordingly,
  • There were findings that a limited number of data controller employees of an unknown third party gained unauthorized access to user accounts and accessed and downloaded personal data regarding users of some services,
  • Although the investigations continue, it was determined on December 20, 2023 that customer contact information and metadata of the relevant accounts were leaked from the CRM application and customer support application,
  • Affected personal data includes name, surname, address and e-mail addresses (usually business address); However, there are other data fields in the CRM application and customer support application; these data,
    • data fields; address, name, surname, title, account number, company name, address, telephone number (main, mobile, fax), e-mail, sales representative (MongoDB) name, surname,
    • Data fields in the Customer Support application; username (email address), last successful authentication time, last authentication method used, identifier for the user's preferred time zone, alphabetical code for the user's preferred time zone, user's registration date, user's first name, last name, unique user ID , information that the user has been invited but has not yet accepted the invitation, the user has limited permissions, the last time the page was viewed by the user, the number of times a user has logged in, whether the user has been blocked automatically or manually and whether the user has been deleted, the time they were deleted, email verification date , information that it requires email verification, alternative email, information that it enables multi-factor authentication,
    • Data fields for users of the deprecated multi-factor authentication (MFA) system; phone number used for deprecated MFA, phone number extension used for deprecated MFA, alternate phone number used for deprecated MFA, alternate phone number extension used for deprecated MFA, whether an authenticator device was used for deprecated MFA, deprecated MFA Information about whether the user wants to receive voice calls or not

is,

  • Between 130,000 and 160,000 users from Turkey may have been affected by the breach,
  • A public announcement about the violation was published at https://www.mongodb.com/alerts#general-alert on December 16, 2023,
  • Relevant persons can receive information about the violation from the e-mail address [email protected].

information is included.

Although the investigation on the issue continues, with the Decision of the Personal Data Protection Board dated 28.12.2023 and numbered 2023/2233, it was decided to announce the data breach notification on the Authority's website.

Source of New: KVKK Public Announcement (Notification of Data Breach)

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

About Content:
The data breach detected in the CRM application by MongoDB Limited was noticed by unusual user queries on December 13, 2023, and in the deepened investigation, it was determined that customer contact information and metadata were leaked by unauthorized access to the accounts of a limited number of employees. Details are in our content.
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram