Personal Data Protection Authority : Decision for data breach notification concerning software company

Personal Data Protection Authority : Decision for data breach notification concerning software company


Personal Data Protection Authority

The data controller has made a data breach notification, detailed below, to the Personal Data Protection Authority (“Authority”) on April 29, 2019;

  • The data controller reported that cybercriminals had accessed its internal network of information systems by authenticating corporate user accounts with “password spraying” attacks.
  • Also, the data controller stated that these attacks had been reported to them by the cyber security experts of the security units on March 6, 2019.
  • Upon this notification, the data controller had received external cyber security support. It had been determined that the identity (name and surname, identity number), personal (job statements, customer loyalty documents) and finance (sales records, marketing materials, payroll) data of 22 natural persons have been affected by these attacks.
  • From October 2018 to March 2019 which is the date that the breach was notified, more than 6 terabytes of data were leaked from the data controller's system using File Transfer Protocol (FTP) and Secure File Transfer Protocol (SFTP).
  • In addition, the data controller notified the breach through an e-mail to its employees (excluding 4 employees whose contact information were not available) whose data were affected by these attacks on April 29, 2019.

Upon this breach notification, in the Decision dated 16/06/2020 and numbered 2020/465;

The Personal Data Protection Board (“Board”) has decided that the technical and organizational measures required to be taken as per the 1st paragraph of Article 12 of the Personal Data Protection Law No. 6698 (“DP Law”) were not taken by the data controller. Accordingly, it was decided to impose an administrative fine of 75,000 TRY. In particular, the Board emphasized the details written below;

  • Security software messages, log records and other reporting tools must be checked regularly.
  • It is important to act upon the warnings coming through the necessary cyber security alarm systems.
  • Regular vulnerability scans and data leakage tests and evaluations of these test results must be done regularly.
  • The Board also noted that “password spraying” attacks are effective when users prefer passwords which are easy to guess. Therefore, it was also decided that the password security awareness of employees had not been provided by the data controller.
  • In addition, the Board also stated that storing more than 6 terabytes of data is a large amount of data being stored on the share drive. Therefore, it is emphasized that technical and organizational measures were not taken in terms of data minimization and risk minimization.

Finally, as the data controller made the notifications within 55 days, the Board decided that the “obligation to notify the data breach as soon as possible” (obligation to notify within the 72-hour period specified in the Board decision dated 24.01.2019 and numbered 2019/10) was violated as per the 5th paragraph of Article 12 of the DP Law. Accordingly, it has been also decided to impose an administrative fine of 50,000 TRY and totally an administrative fine of 125,000 TRY.

Author: Hakan Zeren

© 2019 Deriş - All Rights Reserved