Information Note On The Regulation On The Procedures And Principles Governing The Transfer Of Personal Data Abroad

Kişisel Verilerin Korunması Hukuku

Data Protection Authority  (“The Authority”) Announcement of 4 July on Data Breaches at Creditwest Faktoring Anonim Şirketi and Adnan Özen İnşaat Taahhüt Enerji Turizm Ticaret ve Sanayi Anonim Şirketi According to the public announcements published on the website of the Personal Data Protection Board (“The Board), Creditwest Faktoring Anonim Şirketi and Adnan Özen İnşaat Taahhüt Enerji Turizm Ticaret ve Sanayi Anonim Şirketi suffered data breaches.

The breach in question was notified to The Authority by the data controller as part of the notification obligation pursuant to paragraph (5) of Article 12, entitled "Obligations regarding data security", of the Personal Data Protection Act No. 6698. 

1. In the letter sent to The Authority by the data controller; Creditwest Faktoring Anonim Şirketi

  • The breach occurred as a result of an attack on the data controller's servers and the technical analysis of the breach is ongoing,
  • The breach was discovered as a result of receiving a SOC monitoring alert,
  • The number of individuals affected by the breach has not yet been determined,
  • The breach began on 27/06/2024 and ended on the same date,
  • The categories of personal information affected by the breach are: identity, contact, location, personal, customer transaction information,
  • The group of people affected by the breach are employees and customers.

It has been disclosed.

Although the investigation into the matter is ongoing, with the decision of The Board dated 4 July 2024 and number 2024/1088, it has been decided to publish the notification of the data breach on The Authority's website.

You can access the full text of announcement (in Turkish)  here.


2. In the letter sent to the authority by the data controller: Adnan Özen İnşaat Taahhüt Enerji Turizm Ticaret ve Sanayi Anonim Şirketi,

  •  The breach occurred through a leak in the Application Programming Interface (API) of the website where the data controller's car rental reservations are received,
  • The breach was detected by the email sent by the cyber attacker to the company's staff on 26 June 2024,
  • The relevant categories of individuals affected by the breach are customers and potential customers,
  • The categories of personal data affected by the breach are identity (name, surname, Turkish ID number), contact (address, telephone number, email address) and customer transaction information (booking date, rental period and rental price),
  • The number of people affected by the breach is 185, the database contains personal data of approximately 12,000 customers, technical investigations into the breach are ongoing.

It has been disclosed.

Although the investigation into the matter is ongoing, with the decision of The Authority dated 4 July 2024 and number 2024/1089, it has been decided to publish the notification of the data breach on the Authority's website.

You can access the full text of the announcement  (in Turkish)  here. 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr