20 January 2020

In accordance with the provision of article 12 paragraph 5 of the Law on the Protection of Personal Data[1]Exeltis Pharmaceutical Industry and Trade Inc. sent a notification to the Turkish Data Protection Board (“the Board”) on 14.01.2020. With this notification, Exeltis has informed the Board as a data controller on these subjects;

  • The breach occurred by seizing the company's authorized user password as a cyberattack caused by malware and ransomware.
  • The breach took place at 22:00 on 11.01.2020, ended at 03:00 on 12.01.2020, and determined at 13:05 on 12.01.2020, 
  • The personal data affected by the breach were identity, communication, location, employees’ personnel information, legal transaction, customer transaction, transaction security, risk management, finance, and marketing information; the sensitive personal data affected by the breach were health, criminal conviction, and security measures information,
  • People affected by the breach were employees, users, customers, and potential customers,
  • The estimated number of people affected by the breach is around 1,000, and the exact number has not yet been determined,
  • Data subjects would be able to receive information from the IT department, help desk or KVKK Committee about the data breach via e-mail or phone.

It has been stated in the public announcement published on the website of the Board that the investigation on the subject is still ongoing.

You can find the text of the public announcement (in Turkish) here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law

[1]In case processed personal data are acquired by others through unlawful means, the data controller shall notify the data subject and the Board of such situation as soon as possible. The Board, if necessary, may declare such situation on its website or by other means which it deems appropriate.”