On October 3, 2019 the Turkish Personal Data Protection Authority (“the Authority”) has announced that an administrative fine was applied against Facebook due to a data breach. This is the second time Facebook is fined by the Authority in 2019 due to non-compliance with Turkish Law on Protection of Personal Data w. no 6698 (“the Law”).
In its decision w. no 2019/269, the Authority detected data breaches due to an error resulting from the interaction of three different features of Facebook, “the third-party view, “the birthday celebrator” and “the video uploader”.
Here is what happened;
1- An email was sent to the Authority by the Facebook representative on 14.10.2018 notifying the Authority as follows;
· Between September 14-28, 2018, various Facebook account information was obtained using access tokens, the attackers used the vulnerability resulting from the interaction of three errors to obtain access tokens,
· The attack was stopped, however, the investigation related to the violation continued,
· The corresponding vulnerability occurred as a result of the interaction of three separate errors,
· When using the "third party view" feature, which allows a person to view his or her profile from the eyes of a friend, the application code did not remove the box that allows people to celebrate others' birthday, the video installer created an access token when it should not have been created, and the created access token belongs to the displayed person, not the user,
· Later, the attackers were able to access other accounts using this access token, and by following the same steps, the access tokens of other accounts associated with this account were captured.
2- Although it was stated by Facebook that further information would be submitted to the Authority in writing in the following week, no further notification was made. Therefore the Authority decided to carry out an ex officio examination as a result of the absence of any notification by Facebook to the Authority. As a result of the examination made by the Authority, the following evaluations were made;
· The data breach is caused by a vulnerability caused by the interaction of the “third party view, “the Birthday Celebrator” and “the Video Uploader”, which are three different features of the Facebook system.
· Considering that such errors should be detected during the testing stage and corrected before the changes are published, Facebook failed to take the technical and administrative measures mentioned in paragraph (1) of Article 12 of the Law within the scope of the said data breach.
· The fact that the vulnerability continued for 14 months and that the breach was not intervened on time is indicative of deficiencies in technical and administrative measures.
· A total of 280.959 users who use Facebook in Turkish Language were affected by the data breach. Personal data and sensitive personal data were subject to the breach and this is in violation of Article 3 of the Decision of the Personal Data Protection Authority dated 31/01/2018 numbered 2018/10 related to "The Adequate Measures to be Taken When Processing Sensitive Personal Data" (https://www.iptechlegalblog.com/post/measures-that-must-be-taken-for-processing-sensitive-personal-data-in-turkey) and Article 12 (1) of the Law.
· Facebook has not notified the Authority about the data breach.
3- In this context, the Authority decided that Facebook should pay the following fines;
· Due to the fact that Facebook failed to take the technical and administrative measures mentioned in paragraph (1) of Article 12 of the Law, a fine of TRY 1.150.000 was applied pursuant to the subparagraph (b) of paragraph (1) of Article 18 of the Law, and
· Facebook failed to notify the Authority of the data breach although the data breach was detected on 25 September 2018. Therefore, a fine of TRY 450.000 was applied due ton on Compliance with the paragraph (5) of Article 12 of the Law.