Turkey's Personal Data Protection Authority (KVKK) issued a 1,650,000 Turkish lira ($270,000) administrative fine against social media platform Facebook over data breach and failure to report the issue to authorities.

The watchdog launched a direct investigation against Facebook over Engineering Director Tomer Bar's statement released on Dec. 14, 2018 over an API bug allowing third-party applications access to user photos. The company said at the time that the breach, taking place for 12 days between September 13 and 25, "may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers."

The KVKK found that Facebook failed to timely intervene in the breach and failed to take proper technical and administrative measures. The data leak was a breach of Article 12 of the Law No. 6698 on the Protection of Personal Data, the KVKK said, issuing a TL 1.1 million fine over failure to meet data security liabilities.

An additional TL 550,000 fine was issued to Facebook for failing to notify the KVKK regarding the leak.

The KVKK said that around 300,000 users in Turkey may have been affected by this data breach.

The Grand National Assembly of Turkey adopted the Law No. 6698 on March 24, 2016 in the line with the European Union's the General Data Protection Regulation (GDPR).