In the data breach notification sent to Institution by the data controller;
- The breach occurred when some customers’ personal data were accidentally transferred via a URL to the internal systems of the data controller and to some third-party vendors/providers that they work with while opening a new account, and this was detected during a regular audit of the data controller,
- When institution is notified of the data breach, the data controller receives confirmation from two application analysis providers that the data has already been automatically deleted,
- Within the scope of the investigation carried out to investigate the issue in more detail after the initial findings, it was learned that data were inadvertently collected by seven other URLs and that these were directed to the tag management system of the data controller (the information that the relevant persons in Turkey had done in two of these seven URLs. affected by the error),
- The number of related persons affected by the violation is 44,
- The categories of persons affected by the breach are subscribers/members, customers/potential customers,
- In the first letter of the company to Institution, dated 10.06.2019, the personal data affected by the breach included mandatory fields such as e-mail address, date of birth, password data in the form of clear text, also name and surname data, which is not a mandatory field, may have been affected,
- It is stated that the relevant persons were notified via e-mail on 23.07.2019.
As a result of examining the data breach notification within the framework of our authority and duty; With the Decision of the Personal Data Protection Board dated 20/01/2020 and numbered 2020/50;
It was concluded that
- The fact that the data breaches that took place on 01.08.2018 and 21.10.2018 were detected on 02.07.2019, approximately one year later, indicates that the Company does not have a log record/tracking alarm system for the transactions carried out or is not used effectively and the necessary controls are not made by the Company,
- The fact that the personal data is seen by third-party vendors/providers via the URL is an indication that the tests performed during the web page design phase are insufficient or that the necessary tests are not performed.
The tests carried out during the design phase of the web page were insufficient and the violation detection was made late due to the lack of tracking/alarm systems regarding the transactions that took place, within the framework of paragraph (1) of Article 12 of the Law on the Protection of Personal Data (Law) numbered 6698, an administrative fine of 50.000 TL is imposed on the data controller who does not take the necessary technical and administrative measures, in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law,
- Although it is seen that the violation was detected by the data controller on 29.05.2019 and the Board was notified on 06.06.2019, an investigation was conducted by the data controller residing abroad to determine whether the relevant persons in Turkey were also affected by the so-called violation after the detection date.
this period is considered to be reasonable, it has been decided that there is no action to be taken within the scope of the Law in this regard.
What Were The Shortcomings Of The Institution?
– The fact that the breach event can be detected by the Data Controller after a long time, the security controls are not carried out regularly, therefore the technical and administrative measures taken by the data controller in terms of personal data security follow-up are insufficient.
– Late notification of the breach by the Data Controller to the Personal Data Protection Board
– Failure to effectively implement the policies regarding personal data security by the Data Controller.
What Precautions Should Be Taken?
– Administrative and technical measures should have been effectively implemented by the Data Controller and made into a corporate culture.
– The data security measures taken by the Data Controller should have been implemented more frequently.
– By raising awareness in the institution by the Data Controller, the breach event should have been detected earlier.