Duyurular

Turkish Personal Data Protection Authority Imposes an Administrative Fine of 3,250,000 TL Regarding the Data Breach on an E-Commerce Platform

The summary of the decision made by the Turkish Personal Data Protection Board (“Board”) on 08/08/2024, numbered 2024/1385 (“Decision”), concerning the “Data Breach Notification Submitted to the Board by an E-Commerce Platform” was published on the official website of the Turkish Personal Data Protection Authority (“Authority”).

According to the Decision:

  • Unauthorized individuals exploited a security vulnerability in the vendor portal of the data controller to check whether the email address information obtained from other platforms was available on the portal. They were able to determine which accounts were accessible on the vendor portal of the data controller.

 

  • Although an application was used to prevent ‘bot’ traffic when logging into the vendor portal, it was easily bypassed by unauthorized individuals. Therefore, the application in question was deemed insufficient to ensure data security.

 

  • Despite the fact that multiple users logged into the portal from the same IP address on the day the breach began and the following day, the data breach went undetected by the data controller during this period.

 

  • The breach was only identified by the data controller after receiving complaints from customers and vendors, indicating a delay in the detection of the breach.

 

  • Following the data breach, the data controller implemented a two-factor authentication (2FA) process for the information change and login procedures, which was applied after the vendors had logged into their user accounts.

 

  • However, the data controller took the necessary precautions that should have been implemented prior to the breach, thereby failing to fulfill its obligation to ensure data security.

 

  • Paragraph (1) of Article 12 of Law No. 6698 on the Protection of Personal Data (“Law”) stipulates that "The data controller is obliged to take all necessary technical and administrative measures to prevent unlawful processing of personal data, to prevent unlawful access to personal data, to ensure the preservation of personal data, and to ensure an appropriate level of security for the purpose." in light of this provision, an administrative fine should be imposed on the data controller who fails to take the necessary technical and administrative measures to ensure data security. In determining the fine, factors such as the severity of the violation, the degree of fault, and the economic circumstances of the data controller should be considered.

Based on the above assessments, it has been decided to impose an administrative fine of 3,250,000 TL on the company, in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law.

You can access the full text of the desicion (in Turkish) here .

Kind regards,

Zumbul Attorneys-At-Law

info@zumbul.av.tr