Turkey: Personal Data Protection Authority Decision To Impose An Administrative Fine To Yemek Sepeti For Failing To Take Technical And Administrative Measures To Ensure Data Security

Following a data breach which occurred within the company's web application server, the Personal Data Protection Authority (‘‘Authority'') published a summary of its Decision No. 2021/1324, which was issued on 23 December 2021, in which it imposed a fine of TRY 1.9 million (approximately €122,130) on Yemek Sepeti Elektronik İletişim Perakende Gida Lojistik A.Ş. (‘‘Yemek Sepeti'') for violations of Article 12(1)(a) of the Law on Protection of Personal Data No.6698 (‘‘Law'').

In the data breach notification submitted to the Authority by the data controller it is stated that:

• The web application server of Yemek Sepeti was accessed by (an) unidentified person(s) on 18 March 2021,
• The system which is provided by an equipment to signal/prevent unauthorized access under normal conditions, failed to function properly and as a consequence of such malfunction the unauthorized access(es) could not be instantly noticed.
• When the alarms received on 25 March 2021 were examined, it was determined that there was suspicious behavior,
• In the system survey made on the same date, it was found that an application was installed by exploiting the vulnerability on a web application server belonging to Yemeksepeti and the server was accessed by running a command,
• The attackers transmit the data to an IP address/server in France and this transmitted traffic has traces on the firewall,
• 21,504,083 Yemek Sepeti users were affected by the breach,
• Personal data affected by the breach are username, address, phone number, e-mail address, user password, and IP information.

In the examination made by the Board on this violation; it is found that leaking data covering almost the entire customer database constitutes a very large-scale violation and considering the size of the leaked data and the nature of the personal data, significant risks such as loss of control over their data may occur for the data subjects. The fact that almost all the leaking of user data could not be noticed for 8 (eight) days was evaluated by the data controller as an indication that security controls and data security follow-up were not carried out properly, and due to this shortcoming, the exact extent of the data leak could not be determined.

In this context, the Board considered that the company had failed to meet its duties under Article 18(1)(b) of the Law to take all necessary technical and administrative steps to maintain an adequate level of security and decided to impose an administrative fine of 1.9 million (approx. €122,130). You may reach the full version of the decision, which is available only in Turkish, from here.

For more information please visit our Linkedin page - Deris Intellectual Property

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.