Privacy Blog

THE TURKISH PERSONAL DATA PROTECTION BOARD FINES FACEBOOK ₺1.600.000

3 October 2019

The Turkish Personal Data Protection Board (The “Board”) has released the decision on their web site today about data breach on Facebook which affected nearly 300,000 people.

In this decision, The Board stated that firstly, the Facebook representatives sent to the Board an e-mail on 14.10.2018, and explained the data breach caused by an error occurred as a result of the interaction of three different features of the Facebook system (“View As”, “Birthday Celebrator” and “Video Uploader” features). 

In the related e-mail, it was explained that various Facebook account information were obtained by using access tokens, that the breach that caused the attack occurred on 21.07.2018, that the attack took place on 14.09.2018, was noticed on 25.09.2018 and that the reasons for the related breach.

Although Facebook representatives mentioned that a written notificition about the data breach would conveyed to the Board in a week, The Board never received that notification, and decided to launch an investigation ex officio.

As a result of this investigation, The Board decided that;

  1. Considering the fact that such errors which caused this data breach should be detected during the testing phase and corrected before the change is published, the Company is defective in taking the technical and administrative measures which are specified in Personal Data Protection Code.
  2. That the relevant breach was maintained for approximately 14 months from 21 July 2017 to 27 September 2018, indicating that the necessary controls have not been carried out.
  3. It was stated by the Company that the breach occurred for 13 days between 14 - 27 September 2018 due to the related breach. This means:
  1. On 27 September 2018, a patch was developed for the breach, but on 25 September 2018, although the breach was detected by Facebook, the breach continued for 2 days,
  2. On September 28, 2018, the “View As” feature was temporarily disabled, and the deactivation was performed 3 days after the detection,
  3. Access tokens (approximately 90 million) for accounts identified as potentially affected were deactivated from September 27, 2018 until September 29, 2018,
  4. After an unusual activity started on September 14, 2018, a breach was detected and there may have been a data breach between July 21, 2017 - September 14, 2018, where no unusual activity occurred.

Therefore, the breach was not intervened in a timely manner, and that it was an indication of deficiencies in taking technical and organisational measures.

  1. 280.959 Turkish users were affected by the breach, [special categories of data (sensitive data) (i.e: religion, sex, education/work history informations)].

Based on this findings; The Company was fined to ₺1.150.000 because of defective in the technical and organisational measures, and ₺450.000 because of no notification has been made to the Board regarding the data breach.

You can find the text of the decision  (in Turkish) here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr