Turkey's Personal Data Protection Board (KVKK) has imposed an administrative fine of TL 1.9 million ($140,113) on the country’s largest online food delivery website and smartphone app Yemeksepeti whose data was leaked to hackers due to a cyberattack that went undetected for eight days, the watchdog said Monday.
The platform’s database was breached by hackers reportedly demanding ransom in November last year, which had initially been denied by Yemeksepeti.
The KVKK noted that the web application server belonging to the company responsible for the data was accessed by installing an application and running commands due to the vulnerability in the server, and more than 21 million users were affected by this violation.
Considering the large number of people affected by the breach of access to usernames, addresses, phone numbers, email addresses, passwords and IP information, and the fact that almost the entire customer database was leaked, the breach was a very large-scale one, it said.
When the extent of the violation, the size of the leaked data and the nature of the leaked personal data is considered, the watchdog said this would pose significant risks such as loss of control over personal data for the persons concerned.
"The installation and operation of malicious software on the system could not be noticed by the data controller for eight days, therefore, it has been revealed that the data controller has a fault at the point of checking that the software and services are working and determining whether there is any infiltration or any action that should not occur in the information networks," the KVKK statement said.
The cyberattack was later noticed as a result of the investigation carried out by Yemeksepeti security teams, however the watchdog said, the incident showed the lack of an effective control mechanism on the third-party companies that the data controller receives service from, and the deficiencies in the follow-up of security software and the use of security procedures.
The attackers forwarded the data they obtained from the data controller to an IP address/server located in France, and 28.2 gigabytes (GB) of data coming out of the system, or outgoing traffic, was unnoticed by the data controller, it said.
