The Personal Data Protection Board (“Board”) rendered a decision dated 24.11.2020 and numbered 2020/905 (“Decision”) regarding a data controller insurance company’s (“Data Controller”) failure to take the necessary technical and administrative measures to ensure data security and to fulfill the obligation to notify data breach.
In the data breach notification submitted by the Data Controller, it is stated that, (i) the data breach has occurred due to a cyber-attack imposed upon the test server of the website and was detected the same day; (ii) the access efforts directed to the login page of the website which were attempted from abroad and made multiple times periodically were not detected; (iii) the database which included personal data was erased during the breach, and replaced by ransom notes; (iv) the data base was possibly copied before it was erased; and (v) the number of data subjects affected by the data breach is 311, whereas the personal data affected by the breach included national identity numbers, names, surnames, e-mails and vehicle registration plates of the data subjects.
Within the scope of taking necessary technical and administrative measures to ensure data security in accordance with Article 12, paragraph 1 of the Personal Data Protection Law numbered 6698 (“PDP Law”), the Board determined in terms of the Data Controller that;
- The test server where the data breach occurred was not included in the periodical leak tests, thus it demonstrates that the necessary controls were not exercised;
- Even though a Procedure on the Data Safety and Data Breach was prepared by the Date Controller, the controls indicated thereby were not provided;
- The test page was accessible worldwide and the passwords were not at a sufficient complexity and strength level;
- Considering that after the breach it was possible to exercise the testing processes on the test server before recording of the personal data, the personal data would not be jeopardized if such technology were used before the breach as well;
- Methods for providing secure communication and strong authentication methods as additional safety guard were not used in accessing the test server;
- National ID number which is of importance to data subjects was included in the personal data that is affected by the breach, although the adverse outcome of the breach might have been decreased by storing important personal data as encrypted according to their level of confidentiality, sufficient care was not demonstrated by the Data Controller. In light of these evaluations, the Board decided to impose an administrative fine of TRY 300.000,- on the Data Controller in accordance with Article 18, paragraph 1, subsection (b) of PDP Law, due to failure of taking necessary technical and administrative measures to ensure data security in accordance with Article 12, paragraph 1 of the PDP Law.
Within the framework of the data breach notification obligation regulated in Article 12, paragraph 5 of the PDP Law, the Board also assessed that the Data Controller;
- did not make a data breach notification to the Personal Data Protection Authority (“Authority”) within the period of 72 hours as of the detection of the data breach in accordance with the Board Decision dated 24.01.2019 and numbered 2019/10;
- did not notify the data subjects who were determined to be affected by the breach in accordance with the Board Decision dated 18.09.2019 and numbered 2019/271, and the announcement made on Data Controller’s website could not be regarded as a notification to the identified data subjects in this context.
In light of these assessments, the Board concluded that the Data Controller did not notify the Authority and the data subjects properly, and decided to impose an administrative fine of TRY 30.000,- on the Data Controller in accordance with the Article 18, paragraph 1, subsection (b) of PDP Law.
You may reach the full Turkish version of the Decision via the link below.