Pursuant to the commanding provision 12/5 titled Obligations Regarding Data Security of the Personal Data Protection Law No. 6698 (“Law”), following the situation that the personal data processed by the data controller is seized by third parties unlawfully, as soon as possible, the relevant person and the Personal Data Protection It has an obligation to notify the Board of Directors (“Board”).

Turkey Electricity Distribution Inc.

In the data breach notification notified to the Board by Türkiye Elektrik Dağıtım A.Ş, which has the title of data controller, and shared on the website of the Board on 7 July 2022, in summary;

• “The user name and password of an employee belonging to the data controller were captured in an undetermined manner and the user account and other user data registered in the system were leaked by sending an e-mail address,
• The violation was detected during the intelligence studies carried out on the Dark Web by the Ministry's Cyber Security Operations Center,
• The relevant groups of persons affected by the violation are employees and citizens,
• Personal data affected by the breach are name, surname, e-mail and mobile phone number,
• It is stated that the number of people affected by the violation is 208,000.

Conclusion:

The company that has reported the above-mentioned data breach should pay extra attention to the protection of the personal data it processes, since it provides critical infrastructure services. Administrative and technical measures shown in the Law, relevant regulations and the Personal Data Security Guide must be strictly followed. Among the administrative measures shown, it is necessary for employees to securely store their usernames and passwords; It should be noted that the authorization of access to personal data processed from training, media and technical measures can provide access to individuals as much as necessary within the framework of their work. In addition, since there will be a lot of personal data to be processed by the company providing such a critical service, it can keep personal data masked so that personal data obtained by third parties does not make sense in possible data breaches. This is an important issue in terms of not creating a victimization on behalf of the data subject persons.

Related Data Breach Notice: https://www.kvkk.gov.tr/Icerik/7395/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Turkiye-Elektrik-Dagitim-A-S- 

Knauf Construction and Construction Elements San. ve Tic. A.Ş and Knauf Insulation Izolation San. ve Tic. Inc.

Knauf İnşaat ve Yapı Elemanları San. ve Tic. A.Ş and Knauf Insulation Izolation San. ve Tic. In summary, in the data breach notification notified to the Board by the companies of A.Ş. and shared on the website of the Board on 7 July 2022;

• “The German servers of the data processor Knauf Gips KG, which is the shareholder of the data controllers, were ransomware attack was carried out on 29.06.2022,
• Although the number of people affected by the breach has not been determined yet, it is probable that no data breach has occurred; because it is possible that the server with the responsible personal data is not accessed,
• A part of the e-mail service of the data controllers, data of the processes carried out through the website (marketing, contact form process, job application process, etc.) Since the data collected in processes such as leave/overtime tracking, contract conclusion, purchase and sale of goods/services, dealership application/acceptance are hosted on data processing servers, identity, communication, personnel, legal action, customer transaction, physical space security, transaction, etc. security, risk management, professional experience, finance, marketing, audiovisual records, union membership, other, philosophical beliefs, religion, sect and other beliefs, criminal convictions and security measures, and health information that may be affected by data breach ; the details of the affected data will be determined as a result of the technical study,
• Although the group of persons affected by the breach has not yet been identified, the groups of persons whose data is hosted on the data processing server: personal or legal entity with whom a commercial relationship is established, visitor, applicant, employee candidate, employee reference, trainee candidate, trainee, supplier employee, contracted legal entity official, dealer employee, employee family” information is included.

Conclusion:

The above-mentioned data breach notification is the most effective way for the company to take the necessary precautions against ransomware attacks and to check the measures taken periodically and to remedy any deficiencies immediately when they are noticed. In addition, as stated in the violation notification; Keeping the special and normal personal data categories of the data categories that are likely to be affected by the breach on the same server with the same security measure, the processing of excessive data in violation of the principle of being connected, limited and proportional to the purpose for which they are processed, which is stated in the general principles of the Law, creates significant victimization for the data subject. The fact that even the families of the employees are included in the census of the groups of persons who may be affected by the violation will constitute a violation of the general principles of the Law and will cause grievances even to those who are not related to the relevant company.

Related Data Breach Notice: https://www.kvkk.gov.tr/Icerik/7394/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Knauf-Insaat-ve-Yapi-Elemanlari-San-ve-Tic-A-S-ile-Knauf-Insulation-Izolation-San-ve-Tic-A-S 

Meklas Automotive Industry. ve Tic. Inc.

Having the title of data controller, Meklas Otomotiv San. ve Tic. A.Ş to the Board and shared on the website of the Board on 7 July 2022, in summary;

• “The breach occurred by encrypting some of the data with a ransomware attack,
• The violation took place on 29.06.2022 and it was detected by the e-mail sent to the data controller on the same day,
• The contact groups affected by the breach are employees, users, customers, and potential customers
• The categories of personal data affected by the breach; identity, communication, personnel, transaction security, finance, marketing, audio and visual records; Special categories of personal data are health information, philosophical belief, religion, sect information,
• It is stated that the persons concerned can obtain information about the data breach through the address https://www.meklas.com/tr/kvkk/.

Conclusion:

The above-mentioned data breach notification is the most effective way for the company to take the necessary precautions against ransomware attacks and to check the measures taken periodically and to remedy any deficiencies immediately when they are noticed. The presence of personal data of special nature in the data categories affected by the violation constitutes a violation of the general principles of the Law, the principle of being limited and proportional in relation to the purpose for which personal data is processed, in the relevant business context. If the data controller processes data more than necessary, it creates undue grievances for the persons concerned.

Data controllers minimize the risk against possible data breaches by taking all administrative and technical measures with great care, providing checks at regular intervals and eliminating vulnerabilities, as indicated in the Law, relevant regulations and guides, and both on behalf of the company and the data processed. prevents the occurrence of grievances on behalf of the persons concerned.

Related Data Breach Notice: https://www.kvkk.gov.tr/Icerik/7393/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Meklas-Otomotiv-San-ve-Tic-A-S-