New Decisions Of The Personal Data Protection Board Were Published 04 July 2019

The Personal Data Protection Board (“Board”) announced its decisions on personal data breaches by Mariott International Inc, Clickbus Travel Services Inc. and Cathay Pasific Airway Limited on its website, on 25 June 2019.

The events that cause data violations are access to the personal data of the company's customers through unauthorized access to the information repository of companies.  Although these companies are foreign companies, as a result of the violations, it was understood that the personal data, including the name, nationality, date of birth, telephone number, e-mail address, passport number, ID card number, credit card number, customer service notes and past travel information and many other information of Turkish citizens who are correlated by the aforementioned companies in Turkey, were obtained. Companies have been exposed to these cyber-attacks for a minimum of 2 months and a maximum of 4 years.

The Board has imposed impose an administrative fine in total of TRY 550,000.00 to Cathway Pasific Airway Limited, in total of TRY 1,450,000.00 to Mariott International Inc. and in total of TRY 550,000.00 to Clickbus Travel Services Inc.

  • That this is a security vulnerability, given the time it takes to detect the leakage of information, and on the other hand, companies do not carry out their own inspections and controls,
  • That the companies' hardware and software are not properly configured and the security measures taken are insufficient by considering that access to the networks of other companies within the companies and even in some cases changing the personal data of the customers,

Other News