On October 9, 2024, the Personal Data Protection Authority (“Authority”) issued two breach notifications consecutively and announced to the public by the Personal Data Protection Board (“Board”). The first of these breach notifications was filed by Atılım University, which qualifies as the data controller, and the second one was filed by Kilis 7 Aralık University, also qualifying as the data controller.
1. Data Breach Notification Submitted to the Board by Kilis 7 December University
As summarized in the Public Announcement, in the data breach notification submitted to the Board by 7 Aralık University, the information below are included:
- The source of the breach and how it occurred have not yet been determined,
- Data confidentiality is affected by the breach as a result of unauthorized access,
- The date of commencement of the breach is unknown, ended on 25.09.2024,
- The breach was detected on 24.09.2024 upon notification by the National Cyber Incidents Response Center (USOM),
- The relevant groups of people affected by the breach are students, customers and potential customers,
Personal data affected by the breach;
- T.R. identity number, name, surname, address, telephone number data in the Transfer Table,
- T.R. identity number, name, surname, telephone number data in the Health Culture Sports Registration Table,
- Name, surname, e-mail, phone number data in the Astroturf Field Reservation Table,
- Turkish ID number, name, surname, telephone number data in the Formation Tables,
- The data of 2,747 people were found in the tables subject to the breach.
The investigation regarding the notification is ongoing. With the Board’s Decision dated 09.10.2024 and numbered 2024/1722, it was decided to announce the data breach notification on the website of the Authority.
2. Data Breach Notification Submitted to the Board by Atılım University
As summarized in the Public Announcement, in the data breach notification submitted to the Board by Atılım University the information below are included:
- Cyber attacker/attackers gained unauthorized access to the data controller systems and queried the education information of some individuals through the Higher Education Information System (YÖKSİS) of the Council of Higher Education through a service therein,
- The breach started on 09.05.2024 and ended on 05.06.2024,
- Through the service subject to the violation, only the YÖKSİS education information (with
T.R. ID number) of active (studying) students can be queried,
- The number of people affected by the violation could not be clearly identified.
The investigation regarding the notification is ongoing. With the Board Decision dated 09.10.2024 and numbered 2024/1762, it was decided to announce the data breach notification on the website of the Authority.
3. Legal Review
As defined in article 3(d) of the Law No. 6698 dated 24/03/2016 on the Protection of Personal Data (“Law”), personal data refers to “any information relating to an identified or identifiable natural person”. The Public Announcement published by the Board also includes which types of personal data are affected by the breach.
Pursuant to art. 12, para. 5 of the Law: In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant persons and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.
Pursuant to paragraph 1 of article 15 of the Law, the Board “shall, upon a complaint or ex officio upon learning of an alleged violation, conduct the necessary investigation on matters within its jurisdiction.”
According to paragraph 5 of the same article, “if it is found that there is a violation as a result of the examination, the Board decides that the unlawfulness detected shall be eliminated by the data controller and notifies the relevant parties. This decision shall be fulfilled without delay and within thirty days at the latest following the notification.”
Pursuant to the relevant provisions of the Law mentioned above, Atılım University and Kilis 7 Aralık University made a notification in accordance with the obligations set out for data controllers and the Board announced the situation to the public while the breach investigation was ongoing within the scope of its duties and powers arising from the law.
