The statements of;
- During the routine security audit, it was determined that a folder containing the source code and data files was uploaded to the github.com website without authorization by a former data controller employee (web developer), and an investigation was started on the subject,
- Although it has been determined that many files in the folder may contain information that may identify a subset of data controller users, it has been observed that most of this data belongs to fake (bot) accounts that have been banned from data controller services,
- After going into particulars in the investigation, it became clear on January 12, 2019 that the data consisted of a combination of both fake (bot) accounts and real accounts belonging to users residing in Turkey,
- As far as is known, as a result of the studies carried out, the data in question has been removed from github or made closed to public access,
- The number of people affected by the violation is 62,
- Users, customers, potential customers and children are affected by the violation, almost all of those affected by the violation are adults, but a small number of children are among them,
- The personal data affected by the breach includes information such as identity (date of birth), contact (e-mail address), location (internet service provider and user registration date and time)
are included in the data breach notification of the data controller sent to Institution.
As a result of examining the data breach notification within the framework of our Authority’s authority and duty; With the Decision of the Personal Data Protection Board dated 05/05/2020 and numbered 2020/345; Considering the following issues;
- It has been understood that the necessary technical and administrative measures have not been adequately taken by the data controller in terms of personal data security considering that the data breach occurred after the termination of the business relationship with the data controller and a former employee, this person uploaded the folder containing the source code and data files, which are the product of the person’s work, to github.com (GitHub) in an unauthorized manner, the former employee’s uploading the source codes to the github.com website is a security vulnerability, and these source codes can be analyzed by unauthorized third parties and cause other security vulnerabilities, It is an indication that it does not act in accordance with the matters explained as “… it is very important for employees to receive training on issues such as not disclosing and sharing personal data unlawfully, conducting awareness activities for employees and creating an environment where security risks can be determined, in terms of ensuring personal data security. Regardless of the position of the data controller, the roles and responsibilities related to personal data security should be determined in the job descriptions and employees should be aware of their roles and responsibilities in this regard. In addition, while granting the right to access media containing personal data or creating a corporate culture in this regard, attention should be paid to the principle of “Everything is Forbidden Unless Permitted”, not the principle of “Everything is Free Unless Prohibited”. in the Personal Data Security Guide (Technical and Administrative Measures) published by the Personal Data Protection Authority under the title of “Education of Employees and Awareness Studies” numbered 2. The realization date of the violation is 19.04.2017, the date of detection is 09.01.2019, and the date of notification to the Authority is 28.02.2019, It is an indication that the security controls were not carried out regularly, therefore the technical and administrative measures taken by the data controller in terms of personal data security follow-up were insufficient since the detection of the violation on 09.01.2019, after almost 2 years, It is an indication that the policies were not implemented effectively and did not provide sufficient impact on awareness although it was stated by the data controller that many policies of the data controller were signed by the personnel, the fact that the employee in question copied the files, including personal data, to his own portable storage device.
100.000 TL for the data controller who does not take the necessary technical and administrative measures to ensure data security within the scope of paragraph (1) of Article 12 of the Law on the Protection of Personal Data No. 6698, pursuant to subparagraph (b) of paragraph (1) of Article 18 of the Law,
- Considering that the data breach that took place on 19.04.2017 was detected on 09.01.2019 and the Authority was notified on 28.02.2019, it constitutes a violation of the obligation of the data controller to notify as soon as possible, which is included in paragraph (5) of Article 12 of the Law. In accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, it has been decided to impose an administrative fine of 30,000 TL, in total 130,000 TL, to the data controller.
WHAT WERE THE SHORTCOMINGS OF THE INSTITUTION?
– The fact that the breach event can be detected by the Data Controller after a long time, the security controls are not carried out regularly, therefore the technical and administrative measures taken by the data controller in terms of personal data security follow-up are insufficient.
– Late notification of the breach by the Data Controller to the Personal Data Protection Board
– Failure to effectively implement the policies regarding personal data security by the Data Controller.
– The Data Controller’s failure to comply with the “Everything is Forbidden Unless Permitted” principle of the Personal Data Protection Board.
WHAT PRECAUTIONS SHOULD BE TAKEN?
– Administrative and technical measures should have been effectively implemented by the Data Controller and made into a corporate culture.
– The data security measures taken by the Data Controller should have been implemented more frequently.
– By raising awareness in the institution by the Data Controller, the breach event should have been detected earlier.
– In order to prevent possible violations of the Data Controller, the awareness of the employees of the institution should be increased. For example, violations in similar business lines could be announced to the employees of the institution. It could be supported by training.