According to the “2020 Consumer Threat Landscape Report” published by Bitdefender Antivirus Company, ransomware attacks increased 485% in 2020, compared to 2019. Currently, ransomware is known to be the most prominent form of cyber-attacks.
The attacker simply places a malware into the target computer system making it inaccessible and studies suggest that roughly 1 in 3.000 emails contain malware. Thereupon, the attacker requests for an amount in exchange for the decryption software; generally threatening releasing the data to the public or destroying it entirely unless the ransom amount is paid.
However, the data obtained may have a greater value when offered for sale on deep web and specifically, personal data may bring a very high sum to its seller.
Besides, hackers not only use malware to access systems and valuable data. Many social media companies, which hold every user’s significant personal data experienced breaches based on cyber-attacks recently. Facebook, LinkedIn and Clubhouse were the latest companies that were allegedly targeted to cyber-attacks resulted to significant data breach.
Data allegedly obtained from business oriented social media platform, LinkedIn was offered for sale on a popular hacker forum, indicating 500 million profile data for a minimum of 4-digit USD amount, presumably to be obtained in bitcoin. Additionally, 2 million records were leaked as a proof sample for potential buyers. However, LinkedIn explained that the alleged data put for sale was acquired through number of other websites and companies and that it was not a result of data breach within LinkedIn.
Popular social networking website Facebook has made headlines many times in the past due to their rather inadequate handling of personal data. Recently it was understood that Facebook encountered a data breach sometime in 2019 and as a result details of more than 530 million people, largely consisting of mobile phone numbers were leaked online. The hackers in this case even allegedly shared the personal phone number of Mr. Mark Zuckerberg, founder of Facebook. Facebook indicated that malicious actors obtained the data through exploiting the vulnerability of the platform that allowed users to find each other via phone numbers, adding that this function is no longer active.
Meanwhile newcomer Clubhouse, which facilitates auditory communication within its users was the latest platform to experience alleged user record of 1.3 million leak for free on a popular hacker forum. Clubhouse responded to the allegations denying any breach or hack and indicated that the data in question is all public profile information on their platform, which can be accessed by any user.
Popular Turkish online food delivery company, Yemeksepeti was the latest company making national and international headlines with its recent hack. According to the information shared with the Turkish Personal Data Protection Authority, more than 21 million users were affected by the attack. Yemeksepeti informed users that the hackers got a hold of the user’s information such as their name-surname, birthdate, phone number, email address and physical address.
It is unfortunate that users with online presence are vulnerable to such leaks through hacking and their detailed personal information is being made available to public as a result of security breaches. It is a known fact that the data obtained with the leaks can be maliciously used against users in targeted phishing activities and many other wrongful types of attacks.
As is known, even a simple email address, which might be connected to several other user profiles can cause significant damage at the hands of a competent cybercriminal. Therefore, users of the platforms subject to data leaks should be even more cautious in terms of emails and messages received from suspicious sources as ransomware attacks might just be a click away for a targeted party.
Consequently, due to the increasing significance of personal data, Turkish Law on the Protection of Personal Data obligates data controllers to take all necessary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful processing and access to personal data and ensure the retention of personal data as per Article 12. Hence, those who fail to comply with obligations related to data security provided within Article 12 shall be required to pay an administrative fine of TRY 15.000 to TRY 1.000.000.
As a result, Yemeksepeti is currently under examination by the Turkish Personal Data Protection Authority due to their possible failure in prevention of access to personal data and the decision to be rendered may form an important precedent in terms of data breach liability.