Turkish Personal Data Protection Board (“Board”), with its decision numbered 2020/213 and dated March 12, 2020 (“Decision No. 2020/213”), has fined an internet service provider data controller for failing to take necessary technical and administrative measures to ensure data security in compliance with the Article 12(1) of the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”) upon the internet service provider’s notification of personal data breach to the Board.
According to the summary provided by the Board regarding the data controller’s notification of personal data breach, customers’ credit card information has been exposed to third parties due to a security breach comprised during an attempt to fix an online transaction failure of the invoice payment system under the Online Transaction Center, operated by the data controller for customer’s to conduct subscription transactions. The main reason of breach was stated to be the change made to the application with the purpose to fix the failure via “debug” by adding features that create logs. As a result, credit card information of 69 customers has been displayed by third parties.
It has been explained by the Board that; i) to actualize a verbal failure fix request conveyed to the software developers in actual platform instead of test environment indicates that procedures regarding applying application changes to actual (live) platform are not followed, which is considered lack of technical and administrative measures, ii) inadequacy of testing procedures indicates that technical and administrative measures with regards to application security have not been taken, iii) even though the data controller claimed that personal data is either not displayed or masked in system interface, customer’s personal data (identity and finance) was exposed due to an error, which indicates technical inadequacy, and iv) even though the data controller has a data security policy, the effective date is subsequent to the date of the breach. Therefore, the Board has concluded to fine the data controller to an administrative fine amounting to TRY 300,000.00- pursuant to the Article 18(1)(b) of the Law No. 6698.