Güneş Ekspres Aviation A.Ş. is the data controller. In summary, in the data breach notification submitted by (SunExpress) to the Personal Data Protection Board;

• A cyber attacker gained unauthorized access to the campaign management platform used by the data controller by obtaining the login information of an administrator account and sent phishing e-mails through this account,
• The violation occurred on 15.07.2024 and was detected on the same day,
• The cyber attacker sent a total of 1,986,293 e-mails to 596,659 unique e-mail addresses,
• Relevant groups of individuals affected by the breach; employees, customers and potential customers,
• The category of personal data affected by the breach is contact (e-mail) information,
• 596,659 e-mail addresses to which the cyber attacker sent e-mails;
  • 86 belong to employees (current and former employees), 249,668 belong to customers,
  • The source of 346,905 e-mail addresses is unknown and they are e-mail addresses uploaded to the system by the cyber attacker during the attack,
• • Relevant persons can obtain information about the data breach through the form on the data controller's website (https://www.sunexpress.com/tr-tr/verilerin-korunmasi/).

information is included.

Although the investigation on the issue continues, with the Decision of the Personal Data Protection Board dated 18.07.2024 and numbered 2024/1230, it was decided to announce the data breach notification on the Authority's website.

Source of New: KVKK Public Announcement (Notification of Data Breach)