PandemicIt changes our daily habits. Many of the things we once did physically are nowadays using mobile applications. Mainly used for food and grocery shopping Food basket and Bring The number of such applications is increasing day by day. However, this also brings some problems.
One of the first examples of such applications, Food basketDue to its popularity, it is often the target of cybercriminals. Finally, the platform, which appeared to have stolen user data in the past months, KVKK punished by Here are the details…
Yemeksepeti fined 1 million 900 thousand TL
A group of hackers that emerged last October, Food basket put the information of its users up for sale. Thus, millions of users It was revealed that personal data such as open address, name-surname, phone number were stolen.
If immediately after Personal Data Protection Authority (KVKK), launched an investigation against the company. Finally, the institution, which completed the process, determined that the servers were infiltrated and fined Yemeksepeti 1 million 900 thousand TL. The total number of users whose personal information was accessed is 21 million 504 thousand 83 people. Here are all the findings of KVKK on the subject…
- The server is accessed by installing an application and running a command due to a vulnerability on a web application server belonging to the data controller,
- 21.504.083 Yemeksepeti users were affected by the breach,
- Affected personal data is username, address, phone number, e-mail address, password and IP information,
- Considering the large number of people affected by the breach and the fact that almost the entire customer database was leaked, the breach was very large,
- Considering the extent of the breach, the size of the leaked data and the nature of the leaked personal data, the breach will pose significant risks for the persons concerned, such as loss of control over personal data,
- The person or persons entering the system, after logging into the system with malicious software and tools, information is collected by accessing other systems, the installation and operation of harmful software on the system cannot be noticed by the data controller for 8 days, so it is necessary to control which software and services are running in information networks and to infiltrate or prevent information networks. There is a fault of the data controller at the point of determining whether there is a movement that should not be,
- It was stated that alarms occurred in security software since 18.03.2021, that these alarms were turned off without making the relevant notifications to the Yemek Sepeti Security Teams and taking the necessary actions for the products monitored by third party companies. When taken into consideration, this situation indicates that there is no effective control mechanism on the third party companies that the data controller receives service from and that there are deficiencies in the follow-up of security software and the use of security procedures,
- Considering that the attackers transmit the data obtained from the data controller to an IP address/server location in France, the 28.2 GB data coming out of the system/outgoing traffic cannot be noticed by the data controller and this data traffic has traces on the firewall; Even though there are traces on the firewall, the fact that data leaks of this size are not noticed is an indication that security controls and data security monitoring are not carried out properly by the data controller,
- Considering that it is stated that the server with the vulnerability is a server that has passed the penetration test, this situation shows that the penetration tests are not / were not carried out effectively by the data controller,
- It is an indication that the data controller who processes a large amount of personal data experiences a breach of this magnitude and is late in responding, and does not determine the current risks and threats well.
So what do you think about this subject? Will the penalty imposed by the KVKK be sufficient for the company to take further measures? Give your feedback in the comments section or SDN ForumYou can share it with us.