The KVKK, which serves under the Ministry of Justice, imposes fines on those who use personal data for purposes other than its intended purpose. An employee of a bank forwarded the personal information of 346 customers to his friend who works at an investment firm. The Bank’s Data Leakage team transferred the data breach notification to KVKK.
In the investigation conducted; It was determined that the employee processed the information of 346 customers into a word document and sent the said document via e-mail to the 3rd person whom he claimed to be working in an investment firm and to be his friend.
It turned out that all of the customers in question had money transfers to an investment company, and the personal data categories affected by the breach were identity, communication, customer transaction and financial data. It was stated that the customers whose data were shared were not the customers of the branch to which the employee who caused the violation was related, therefore, there was no reason for the employee to collect and share the data.
In the review; It was determined that 346 bank customers’ branch number, account number, name-surname, mobile phone number and information about the investment transaction amount sent by these customers from their bank accounts to an investment firm account were affected by the breach. Although the personnel involved in the breach had completed the “Personal Data Protection Law” training on 09.10.2018, more than 1 year before the data breach occurred, it was determined that the training provided was not sufficient and effective, since they personally committed the breach. >
Shock in Ankara! ‘Coupon’ scam to millions of citizens
Although it was stated that there is a Data Leakage Detection/Prevention System for e-mails sent out of the bank, it was pointed out that the e-mail that caused the violation was not blocked by DLP systems. The following statements were included in the board’s decision:
“According to the statements ‘Necessary technical and administrative measures should be planned and implemented’, it is understood that the measures taken by the data controller are insufficient in terms of preventing unauthorized personal data transfer. Considering that it is an indication that the technical and administrative measures taken by the data controller to ensure data security are insufficient, taking into account the unfair content of the fault, the fault of the data controller and the economic situation of the data controller who does not take the necessary technical and administrative measures to ensure data security, the Law 18(1. ) Within the scope of subparagraph (b), 225 thousand TL, it is obvious that the necessary notifications have been made to the relevant persons and the said notification samples have been sent to us. Considering that the notification condition is not met within the 72-hour period starting from the learning of the data breach due to the late notification to our institution, the data controller is subject to Article 18(1)(b) of the Law, due to the fact that he/she violated the obligation to notify (within the 72-hour period specified in the Board decision). It has been decided to impose an administrative fine of 275 thousand TL, of which a thousand TL is in total.”