The Sentencing of Yemeksepeti Has Been Announced

The final decision was made today regarding the Yemeksepeti.com incident, which came to the fore with a major hacking scandal in the past weeks and allegedly seized the data of tens of millions of Turkish users. The Personal Data Protection Authority, which started an investigation after the news reflected in the press, announced the penalty to be applied to Yemeksepeti.

According to the decision shared by KVKK, Yemeksepeti 1 million 900 thousand TL administrative fine sentenced.

All details about the attack were shared

The full decision published by KVKK is as follows:

“As a result of the examination of the data breach notification within the framework of the Authority’s authority and duty, with the Decision of the Personal Data Protection Board dated 23/12/2021 and numbered 2021/1324;

• The server is accessed by installing an application and running a command due to a vulnerability on a web application server belonging to the data controller,
• İhlalden 21.504.083 Yemeksepeti users were affected,
• Affected personal data username, address, phone number, e-mail address, password and IP information,
• The large number of people affected by the violation, and almost the entire customer database was leaked Considering that the violation is very large,
• Considering the extent of the breach, the size of the leaked data and the nature of the leaked personal data, the breach will pose significant risks for the persons concerned, such as loss of control over personal data,
• After logging into the system with malicious software and tools, information is collected by accessing other systems by the person or persons entering the system, and the installation and operation of harmful software on the system. not noticed by the data controller for 8 days therefore, it is necessary to check which software and services are running in the information networks and to determine whether there is a leak or an action that should not be in the information networks. fault of the responsible,
• Since 18.03.2021, alarms have occurred in security software, and these alarms can be seen in products monitored by third party companies. Before the relevant notifications are made to the Yemek Sepeti Security Teams and It was stated that it was closed without taking the necessary actions.Considering that the cyber attack was noticed as a result of the examination of the alarm sent on 25.03.2021 by Yemek Sepeti Security Teams, this indicates that the data controller does not have an effective control mechanism over the third party companies that serve, and that there are deficiencies in the follow-up of security software and the use of security procedures,
• The data obtained by the attackers from the data controller forwarded to an IP address/server location in FranceConsidering that 28.2 GB of data leaving the system/outgoing traffic cannot be noticed by the data controller and that this data traffic has traces on the firewall; Although there are traces on the firewall, the leak of data of this size cannot be noticed, security controls and data security by the data controller. not being followed up properly. is an indicator,
• Considering that it is stated that the server with the vulnerability is a server that has passed the penetration test, this situation is determined by the data controller. Penetration tests are not/are not done effectively it shows,
• The fact that the data controller who processes large amounts of personal data experiences such a breach and delay in intervention It is an indication that it does not determine the current risks and threats well.

Regarding the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law on the Protection of Personal Data No. 6698, the extent of the violation in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, taking into account the unfair content of the offense, the fault of the data controller and the economic situation. 1,900,000 TL administrative fine to the implementation
decided.”

What happened? We tell chronologically!

• Yemeksepeti came up with a big data leak. The hackers, who said that they had seized the data, reached Mesut Çevik and İbrahim Haskoloğlu and forwarded the personal data about them to them.
  • The hackers said that they reached Nevzat Aydın, the former CEO of Yemeksepeti and requesting payment had suggested.
  • Yemeksepeti confirmed the ransom demand in the statement it shared on the subject, did not accept the request they had explained.
  • Most importantly, any system It was stated that no data breach or theft was detected...
  • Sharing a new statement on the same day, the hackers announced that they will publicly publish the addresses and phone numbers of Yemeksepeti employees.
• Hackers who hacked Yemeksepeti on November 21, 2021, shared a new statement and announced that they would publish the data if the payment was not made within a day.
• On November 27, 2021, the fears became reality. Instead of sharing employee data, hackers He shared the data of 20 thousand Yemeksepeti users publicly.. This data included addresses, phone numbers and all kinds of personal information.
• The shared information fell into the hands of the perverts in a very short time. Some users sharing on social media shared heartbreaking messages sent by people they do not know who contacted them by phone.
• Hackers also said that they reached the new CEO of Yemeksepeti about the data, but they didn’t get an answer explained.
• On November 29, KVKK officially launched an investigation on Yemeksepeti.
• hackers, Information of our webtekno team member Shared with İbrahim Haskoloğlu.
• While all this was going on, Yemeksepeti filed criminal complaints against members of the press who shared on the subject.

On December 4, 2021, we shared our video, in which we talked with Mesut Çevik, İbrahim Haskoloğlu and our team member whose information was shared, and which explains the event in detail.