The Turkish Personal Data Protection Authority ("Authority") has published its decision dated 22/05/2020 and numbered 2020/421 data breach notification regarding a data officer operating in the personal care sector. The decision relates to a late-detected violation due to preliminary tests.

The following issues were revealed in the data breach notification of the data controller to the Authority:

• On 06.03.2020, a message was received to the data controller's email address from an unidentified person that the data controller had seized the email address/passwords of the website members. 
• During the examinations, it was found that more than 14,000 IP connections and more than 500,000 email/password combinations were tried on the site. In this way, the passwords of the accounts of 2092 site users have been verified.

The Authority made the following conclusions in its decision:

• The violation may affect the first name, last name, email, mobile phone, gender, birthday, delivery/billing addresses, and order history information belonging to the data officer customers.
• It has been taken into consideration that the data controller did not notice this traffic in its ordinary traffic. The violation was detected due to the email sent by unidentified persons who committed the violation.
• The fact that the excess number of failed attempts, except 2092 users whose account has been logged in, cannot be noticed by the data controller shows a lack of monitoring of information networks.

Concerning the reasons explained above, about the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Personal Data Protection Law (Law) No. 6698, it is decided to impose a 210.000 TL administrative fine according to subparagraph (b) of paragraph (1) of Article 18 of the Law. 

Author: Melis Karadeniz