On March 25, 2021, Turkish online delivery company (“Yemeksepeti A.Ş.”) notified that their user database is attacked by unidentified cyber hacker(s), therefore a security breach occurred. Thereby sharing this situation as a public announcement on official social media accounts, Yemeksepeti A.Ş. added that some of the account information of its users was captured by cyber hackers.
According to the explanation of Yemeksepeti A.Ş., the user information captured by hackers is: (i) name and surname, (ii) date of birth, (iii) telephone numbers registered in Yemeksepeti, (iv) e-mail addresses registered in Yemeksepeti, (v) registered home and work address information on Yemeksepeti and (vi) the data of user passwords encrypted with SHA-256 algorithm. The company also explained that Yemeksepeti accounts cannot be accessed by third parties since data of user passwords encrypted with SHA-256 algorithm which is one of the secure hash algorithm package SHA-2 developed by the National Security Agency (“NSA”) of USA.
Finally, Yemeksepeti A.Ş. declared that they have started to work with all software and cyber security teams and security consultants on the details of the breach following the cyber-attack. After, related legal authorities in particular Turkish Personal Data Protection Authority were notified since Yemeksepeti A.Ş. is under the status of “data controller” pursuant to the Turkish Data Protection Law Numbered 6698 (“Law No. 6698”) and has certain obligations correspondingly.
Obligations of Yemeksepeti A.Ş. as a Data Controller
“Data Controller” means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system under the Law No. 6698. Accordingly, Yemeksepeti A.Ş. is a data controller in regard to its daily operations. The Law No. 6698 sets forth certain obligations to those data controllers including obligation to ensure data security. As per the law, the data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:
preventing unlawful processing of personal data,
preventing unlawful access to personal data,
ensuring protection of personal data.
The data controller has to take all necessary technical and administrative measures to ensure the appropriate level of security in order to fulfill these obligations. The Law No. 6998 also imposes an audit obligation on the data controller regarding data security. Within this context, the data controller is obliged to audit its institution or organization or have it audited. Therefore, this audit mechanism can be established by the data controller or by any third party. Finally, in the event that the processed personal data are captured by others through illicit means, the data controller shall notify the data subject and the Turkish Data Protection Board (“Board”) as soon as possible. The Board, if necessary, may announce this situation on its official website or by any other method it deems appropriate.
In its public announcement, Yemeksepeti A.Ş. has declared that since its operations they have taken all the necessary measures to ensure data security of its users. Besides, user passwords encrypted with SHA-256 algorithm which is almost impossible to be broken. Yemeksepeti added that credit card and other payment information of users are also safe as because the credit card information is not stored in Yemeksepeti’s database, but it is stored in a remote database protected by MasterCard.
The Board is notified by Yemeksepeti A.Ş. as of March 25, 2021 when the company was first detected the possibility of circumventing the cyber security shield and data theft. However, the Board has not yet announced the situation on its official website.
The Board’s Perspective on Data Security Breaches
A review can be made by the Board in line with the notification of personal data breach of the data controller. Considering its issued decisions, the Board examines whether the data controller has taken the necessary technical and administrative measures to ensure data security and to fulfill the obligation to notify data breach and therefore, decides to impose an administrative fine. Recently, the Board rendered a decision numbered 2020/905 (“Decision”) regarding a data controller insurance company's failure to take the necessary technical and administrative measures to ensure data security and to fulfill the obligation to notify data breach.
In the case subject to the decision of the Board, the data controller has submitted a notification of data breach to the Board by declaring that the data breach has occurred due to a cyber-attack imposed upon the test server of the website, the database which included personal data was erased during the breach and replaced by ransom notes and the personal data affected by the breach included national identity numbers, names, surnames, e-mails and vehicle registration plates of the data subjects.
In its decision, the Board considered various matters before deciding that the data controller in question has failed to comply with its’ obligations to ensure data security. For instance, the Board held that the passwords were not at a sufficient complexity and strength level and methods for providing secure communication and strong authentication methods as additional safety guard were not used in accessing the test server. Moreover, the Board highlighted that although encrypting information of national ID number which is of importance could have minimized the damages of data subjects, it was not demonstrated. In line with its evaluations, the Board decided to impose an administrative fine of TRY 330,000.00 against the data controller insurance company.
Ezgi Ceren Aydoğmuş