Duyurular
A Public Announcement Regarding Data Breach Notification Published by Turkish Data Protection Authority
With the public announcement published on the website of the Turkish Data Protection Authority (“The Authority”), the data breach notification of Güneş Ekspres Havacılık Anonim Şirketi was shared.
The breach in question was notified to the Authority by the data controller in accordance with the notification obligation pursuant to paragraph (5) of Article 12, entitled "Obligations regarding data security", of the Personal Data Protection Act No. 6698 (“The Law”).
- The breach notification summarises as follows;
- A cyber attacker gained unauthorised access to the campaign management platform used by the data controller by obtaining the credentials of an administrator account and sending phishing emails from this account,
- The breach occurred on 15/07/2024 and was detected on the same day,
- The cyber attacker sent a total of 1,986,293 emails to 596,659 unique email addresses,
- The relevant classes of individuals affected by the breach are employees, customers and prospective customers,
- That the category of personal information affected by the breach is contact (email) information,
- Of the 596,659 email addresses to which the cyber attacker sent emails;
- 86 belonged to employees (current and former) and 249,668 belonged to customers,
- 346,905 email addresses were of unknown origin and were email addresses that the cyber attacker uploaded to the system during the attack,
- Data subjects can obtain information about the data breach by completing the form on the data controller's website,
Although the investigation into the matter is ongoing, with the decision of the Personal Data Protection Authority dated 18.07.2024 and number 2024/1230, it has been decided to publish the notification of the data breach on the Authority's website.
You can access the text of the public announcement (in Turkish) here.
Kind regards,
Zumbul Attorneys-at-Law