The technical and administrative measures recommended to be taken by Data Controllers regarding user security were announced on the website of the Personal Data Protection Authority (“Authority”) on 15.02.2022.
Pursuant to Article 12, paragraph 1 of the Personal Data Protection Law, the data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security.
As a result of the data breach notifications submitted to the Authority, the Authority stated that the user account information used to log in to the websites of data controllers operating in various sectors such as finance, e-commerce, social media and gaming is publicly being published on some websites and expressed that the personal data obtained from the systems of data controllers or by using security vulnerabilities in end-user computers, are shared unlawfully and can be offered for sale for an economic value, and that this data can be archived and remarketed as data sets by malicious persons.
The Authority has determined that lack of technical and administrative measures such as “the use of the same username and password on different platforms, no password change at certain time intervals, two-stage authentication etc.” are causing personal data breaches.
In this context, it is recommended by the Authority that Data Controllers should take the appropriate technical and administrative measures stated below by making their own risk assessments.
- Establishing two-factor authentication systems and presenting them to their users as an alternative security measure from the membership application stage,
- Sending the login information to the data subjects’ contact addresses, via e-mail/sms etc. in case of logging in on different devices other than the devices that provide frequent access to the users’ accounts,
- Protecting applications with HTTPS (Hypertext Transfer Protocol Secure) or in a way that provides the same level of security,
- Using secure and up-to-date hashing algorithms to protect user passwords against cyber-attack methods,
- Limiting the number of unsuccessful login attempts from the IP (Internet Protocol Address) address,
- Ensuring that the data subject can view their information about at least the last 5 successful and unsuccessful login attempts,
- Reminding the data subject that the same password should not be used on more than one platform,
- Establishment of a password policy by data controllers and ensuring that user passwords are changed periodically or reminding the data subject about this issue,
- Preventing newly created passwords from being the same as old passwords (at least the last three passwords), using technologies such as security codes (CAPTCHA, four processes, etc.) that distinguish computer and human behaviour when logging into user accounts, limiting the IP addresses that are allowed to be accessed,
- Ensuring that the passwords entered into the systems of data controllers must be at least 10 characters in length, and that strong passwords are created for the combination of upper- and lower-case letters, numbers and special characters,
- Regularly performing security updates of these software and services and making necessary checks if third-party software or services are used to access the systems of data controllers.
You can reach the full Turkish text of the announcement via the link below.