TURKISH DPA DECISION ON A DATA BREACH BY AN INTERNET SERVICE PROVIDER

15.05.2020

In the summary of the decision of Personal Data Protection Board (“Board”) on the data breach by an internet service provider:

In the notification made by the data controller, it is stated that;

  • Online payment system was not able to be made in the company and the customers were informed about it,
  • A security gap was occurred during the solving the problem,
  • Because of the security gap, card information belonging to 69 people were able to be seen by 649 people,
  • The Attempt to fix with “debug” by adding features which produce log was the reason of the breach.

In light of the investigation by the Board, it is found that;

  • The fact that test process implemented by the Company is not sufficient is the sign of that the company has not taken appropriate administrative and technical measures,
  • It is a technical mistake that financial and ID information related with the costumers were seen even though it is stated by the company that personal data in the interface are stored as masking or without showing,
  • The effective date of data controller’s data security policy is later the breach occurred.

In this context, the company has been fined of 300.000 TL on the ground that the company has not taken required administrative and technical measures within the scope of article 12 of the Law on Personal Data Protection numbered 6698.

You can reach the text of the decision (in Turkish) here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr