The data controller has made a data breach notification, detailed below, to the Personal Data Protection Authority (“Authority”);
· The data controller determined that the cybercriminals had seized the authorized user passwords of its system and prevented its employees from accessing the system (by ransomware attacks).
· Ransomware attacks are the most common type of cyber-attack examples of which are listed first in the European Data Protection Board's "Guidelines 01/2021 on Examples regarding Data Breach Notification" and described as “In ransomware attacks, a malicious code encrypts the personal data, and subsequently the attacker asks the controller for a ransom in exchange for the decryption code”.
· Cyber-attacks on this issue were carried out on 8 – 11 – 12 January 2021 and it was determined by the data controller on 12 January 2021 in the moment its employees could not access the system.
· Upon detecting the computers where the cyber-attacks were carried out, it was determined that the criminal was the same person who had worked for the data controller in the previous period and who was currently working within the company where the data controller was currently receiving cyber security services.
· In addition, the number of data subjects and the data affected by the breach was not fully and conclusively determined, however, it was estimated that 1000 data subjects (suppliers, customers, and subcontractors, including 297 company employees) may have been affected by the breach.
Upon this breach notification, in the Decision dated 16/06/2020 and numbered 2020/463;
The Personal Data Protection Board (“Board”) has decided that the technical and organizational measures required to be taken as per the 1st paragraph of Article 12 of the Personal Data Protection Law No. 6698 (“DP Law”) were not taken by the data controller. Accordingly, it was decided to impose an administrative fine of 125,000 TL. In particular, the Board emphasized the details written below;
· The Board stated that since the number of data subjects and the data affected by the breach could not be determined fully and conclusively, even the special categories of personal data of an estimated 1000 data subjects may have been affected.
· In this regard, the Board stated that it is important to act upon the warnings coming through the necessary cyber security alarm systems and stated that regular vulnerability scans and data leakage tests and evaluations of these test results must be done regularly.
· In addition, in terms of ransomware attacks, the Board emphasized the importance of the strategies of data backup and the accessibility of the personal data solely by system administrator.
Finally, the Board decided that the data controller made the notifications on time and duly as per its obligations (in accordance with the obligation to notify within the 72-hour period specified in the Board decision dated 24.01.2019 numbered 2019/10 and the obligation to fulfil minimum requirements of data breach notification specified in the Board decision dated 18.09.2019 numbered 2019/271). Accordingly, it was decided that there was no action to be taken within the scope of the 5th paragraph of Article 12 of the DP Law.