The Sentencing of Yemeksepeti Has Been Announced


The fine given to Yemeksepeti, which has been involved in a major hacking allegation in the past weeks and the personal information of tens of millions of users has been leaked, has become clear.

The final decision was made today regarding the incident, which came to the fore with a major hacking scandal in the past weeks and allegedly seized the data of tens of millions of Turkish users. The Personal Data Protection Authority, which started an investigation after the news reflected in the press, announced the penalty to be applied to Yemeksepeti.

According to the decision shared by KVKK, Yemeksepeti 1 million 900 thousand TL administrative fine sentenced.

All details about the attack were shared

food basket

The full decision published by KVKK is as follows:

“As a result of the examination of the data breach notification within the framework of the Authority’s authority and duty, with the Decision of the Personal Data Protection Board dated 23/12/2021 and numbered 2021/1324;

  • The server is accessed by installing an application and running a command due to a vulnerability on a web application server belonging to the data controller,
  • ─░hlalden 21.504.083 Yemeksepeti users were affected,
  • Affected personal data username, address, phone number, e-mail address, password and IP information,
  • The large number of people affected by the violation, and almost the entire customer database was leaked Considering that the violation is very large,
  • Considering the extent of the breach, the size of the leaked data and the nature of the leaked personal data, the breach will pose significant risks for the persons concerned, such as loss of control over personal data,
  • After logging into the system with malicious software and tools, information is collected by accessing other systems by the person or persons entering the system, and the installation and operation of harmful software on the system. not noticed by the data controller for 8 days therefore, it is necessary to check which software and services are running in the information networks and to determine whether there is a leak or an action that should not be in the information networks. fault of the responsible,
  • Since 18.03.2021, alarms have occurred in security software, and these alarms can be seen in products monitored by third party companies. Before the relevant notifications are made to the Yemek Sepeti Security Teams and It was stated that it was closed without taking the necessary actions.Considering that the cyber attack was noticed as a result of the examination of the alarm sent on 25.03.2021 by Yemek Sepeti Security Teams, this indicates that the data controller does not have an effective control mechanism over the third party companies that serve, and that there are deficiencies in the follow-up of security software and the use of security procedures,
  • The data obtained by the attackers from the data controller forwarded to an IP address/server location in FranceConsidering that 28.2 GB of data leaving the system/outgoing traffic cannot be noticed by the data controller and that this data traffic has traces on the firewall; Although there are traces on the firewall, the leak of data of this size cannot be noticed, security controls and data security by the data controller. not being followed up properly. is an indicator,
  • Considering that it is stated that the server with the vulnerability is a server that has passed the penetration test, this situation is determined by the data controller. Penetration tests are not/are not done effectively it shows,
  • The fact that the data controller who processes large amounts of personal data experiences such a breach and delay in intervention It is an indication that it does not determine the current risks and threats well.

Regarding the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law on the Protection of Personal Data No. 6698, the extent of the violation in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, taking into account the unfair content of the offense, the fault of the data controller and the economic situation. 1,900,000 TL administrative fine to the implementation