In summary, in the data breach notification notified to the Personal Data Protection Authority (“Authority”) by Güreli Yeminli Mali Müşavirlik ve Independent Audit Services Inc.
- “The data breach occurred as a result of a ransomware attack on the data controller file servers,
- The violation started on 16.07.2022 and it was detected on 09.08.2022 after the information systems officer noticed the text files that the files were stolen and ransom demanded,
- The relevant person groups affected by the breach are customers and potential customers,
- Personal data in the categories of identity (name, surname), contact (e-mail address, phone number) and finance (invoice, commercial records) in the commercial data obtained from legal entity customers within the scope of sworn financial consultancy and independent audit activities may have been affected by the breach. is considered,
- İhlalden etkilenen kişi ve kayıt sayısının henüz tespit edilemediği, tespit ile ilgili çalışmaların devam ettiği
- Information regarding the violation can be obtained from the e-mail address of [email protected] and telephone numbers 444 9 475 – (0212) 285 01 50”.
Conclusion:
As seen in the aforementioned data breach notification shared on the institution's website; It is clear that the data controller who makes a data breach notification processes important data of legal entities such as identity, communication and financial records as required by the business organization. Even if the data that is processed and preserved due to this processing activity is not directly qualified as personal data, it is necessary to take appropriate measures in accordance with the KVKK and the second legislation, since it will create great grievances for the managers of legal entities.
In this context, the data controller, to the extent that the decision of the Board, dated 31.01.2018 and numbered 2018/10, counts the Adequate measures to be taken by the Data Controllers in the Processing of Special Quality Personal Data, since the data he/she processes are not directly of special nature, but of important nature;
- “Preserving data using cryptographic methods,
- Keeping cryptographic keys secure and in different environments,
- Securely logging the transaction records of all movements performed on the data,
- Continuously monitoring the security updates of the environments where the data is located, regularly performing/performing the necessary security tests, recording the test results,
- If the data is accessed through a software, user authorization for this software, regular security tests of these softwares, recording the test results,
- If remote access to data is required, it is of great importance to take the measures of "providing at least a two-stage authentication system" in order to ensure that the important data it processes does not mean anything to them even if it is captured by malicious third parties, and to minimize the victimization that may be experienced both on behalf of itself and on behalf of data processors.
In addition to the measures foreseen for the processing of sensitive data listed above, it is essential to take every technical and administrative measure regulated in the KVKK Data Security Guide, and to be checked at periodic intervals, to detect and eliminate vulnerabilities in advance, and to minimize the balance sheet that may occur in potential data breaches.
One of the basic principles to be considered while processing data is that the processed data should be related to the purpose for which they are processed, limited and measured. Within the framework of this principle, data controllers/processors should minimize the data they process.
You can reach the Data Breach Notification Decision via this link:
