The Board of Protection of Personal Data Has Published a New Decision 19 September 2019

Pursuant to the articles 15 and 22 of the Law on Protection of Personal Data no. 6698 (“Law”), the Board of Protection of Personal Data (“Board”) is entitled to conduct necessary inspection within the scope of its remit either ex officio in case it learns the allegation of a violation or upon complaint, and to impose administrative fines in case of breach. The Board publishes decision summaries of its investigations which are considered to be important and to establish precedent on its website.

We hereby present the summary of the decision by the Board about violation of data related to information of application users.

The decision No. 2019/222 about data breach related to information of application users published on 17 September 2019 by the Board of Protection of Personal Data

Owner of an application company which allows the users to dub and share them on social media was aware of data breach, when a person, who claims to be a journalist, sent an e-mail about a person who claims to have personal data of Darknet application users, therefore, this application company agreed with an digital forensic medicine firm for investigating these claims.

As a result of this investigation, it is suspected that this incident occurs with a purchase of data copy containing the user’s information and it is detected that the information about 679.269 person, which define Turkey as a related country in its public profile, is included in the purchased data base.

Although the company indicated that necessary steps have been taken including strengthening of security measures and providing security of network and systems to prevent the repetition of breach, it is determined by the Board that the data including the information about the real person such as user name, passwords, date of birth, phone number, e-mail address, country/language of approximately 162 million user accounts is sold on Darknet web which can work on both IOS and Android operating systems. Furthermore, it is not known how the data breach occurred considering the fact that these data have been on sale since November, 2018. Also, it is detected by the Board that the fact that the company has been informed by a journalist about data breach demonstrates the faultiness of the company from technical and administrative aspect and that the company didn’t inform the users about data breach on a large scale, in this reason, these users can only find out from certain sites if their data has been breached.

For this reason, the Board, pursuant to Article 12 of the Law, decided to impose TL 680,000 due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose TL 50,000 due to application which violates the obligation to notify as soon as possible. Furthermore, the Board, considering the number of person affected by the breach, decided that this breach should be announced on the website of the Board in accordance with Article 12 of Law No. 6698.

Other News