29 Jul, 2022

NeoPets Inc. Reported Massive Data Breach

As a data controller, NeoPets Inc. The data breach notification reported by the Personal Data Protection Authority ("Institution") was shared on the Authority's website with the decision of the Personal Data Protection Board ("Board") dated 28 July 2022 and numbered 2022/757. In summary, in this data breach notification shared;

  • “The violation took place on 17.07.2022 and it was detected on 20.07.2022,
  • The data controller has detected a cyber attack against some of their systems; then, on a forum site, the attacker made a post about the data of approximately 69 million current and former users from the online platform belonging to the data controller, and published an announcement in order to sell the source codes and database in the said post,
  • The categories of personal data affected by the breach are identity, communication and transaction security but research continues on this subject,
  • The breach affected the data of users, subscribers/members and children, /span>
  • The number of persons and records affected by the violation not yet determined 3.5 million active and 65 million inactive accounts on the online platform
  • Data controller; He started working with a forensics firm to determine when and how the data leak occurred and which data was affected by the breach.

Conclusion:

The fact that the field of activity of the data controller in the concrete case is mostly related to children causes us to conduct a special investigation on this issue. Although the Law on Protection of Personal Data No. 6698 (“Law”) does not contain a specific regulation for children, it may lead to the misconception that children's personal data is not within the scope of the Law.

In order not to fall into this error, it is necessary to examine the definition regulated as "any information relating to an identified or identifiable natural person" in Article 3 of the Law titled Definitions. According to the definition, all kinds of information regarding real persons that make the identity definite or identifiable are considered to be within the scope of the law. In Article 28 of the Turkish Civil Code (“MK”) numbered 4721, “Personality begins when the child is born fully alive and ends with death. The child acquires his legal capacity from the moment he is conceived, provided that he is born alive.” there are regulations. According to the regulation in the MK, a person acquires the right to be entitled as soon as he is conceived, provided that he is born alive. In this context, provided that the individual is conceived and born alive, regardless of age, Article 20/3 of the Constitution. (“Everyone has the right to demand the protection of their personal data…”). According to the explanations made, although there are no specific regulations regarding children in the Law, it is clear that every individual is within the scope of the Law from the moment they are conceived and meet the condition of being alive.

Data controllers serving children should make more of an effort than usual to keep the clarification texts/policies simple and simple for children to understand. In this context, children, adults and product and service developers have separately explained the issues that should be considered in the protection of children's personal data on the Institution's website. In this context, it is stated that data controllers should pay maximum attention and care to the issues of special lighting for children, keeping the processing of children's data at a minimum level, and taking technical and administrative measures to protect children's data in a more sensitive form.

Considering every potential cyber attack that the data controller may encounter, they should receive limited data from the relevant persons as necessary. The fact that the data controller in the aforementioned data breach keeps 65 million inactive accounts in its own database without deleting/anonymizing/masking any inactive accounts without designing this process causes more grievance than normal.

Concisely; Since data controllers can minimize the victimization that may occur in possible cyber attacks, both for themselves and for the relevant persons, by taking the technical and administrative measures envisaged in the public announcements and guides shared by the Board, in accordance with the relevant legislation, by eliminating vulnerabilities by periodically checking/updating them. they need to pay great attention to this issue. 

Related Data Breach: https://www.kvkk.gov.tr/Icerik/7416/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-NeoPets-Inc- 

Public announcement on the matters to be considered in the processing of children's personal data on the Institution's website: https://www.kvkk.gov.tr/Icerik/6737/Cocuklarin-Kisisel-Verilerinin-Korunmasi-Bakimindan-Dikkat-Edilmesi-Gerekenler 


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.


 

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram