Personal data breach notifications continue to come from banks. After ING and TEB, it was Denizbank who was affected by the violation of the authority of the employees of the institution. A violation occurred due to the fact that the bank personnel working as the Customer and Transaction Officer made more inquiries than necessary through query screens containing personal data. The fact that the sector and the scenario are exactly the same clearly shows that the access authorization in the common query systems used here is faulty and insufficient, rather than a coincidence. Although there are regular inspections of financial institutions, more cyber security investments than all sectors, and many standards, frameworks and policies they are obliged to comply with, unfortunately, the lack of implementation of these leads to such data breaches. We are also faced with the fact that organizations mostly consider external attacks in their data risk analysis. With these examples, it should be realized that approximately 80% of the risk is due to the faulty and misuse of the users and systems within the organization. If the access authorizations are not made appropriate and the user logs are not analyzed with preventive and detective systems, the fact that the institution has too many vulnerabilities inside should be accepted and necessary controls should be developed. Fortunately, this violation, which lasted about 11 months, was discovered during regular inspections by the Denizbank Inspection Board. As stated on the Board page, investigations are continuing at Denizbank.
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.