Personal Data Breach of a Bank Reported to the Institution’s
Although it cannot be determined that. The bank personnel sent the critical information (identity card, balance. Identity, contact information, etc.) of three different customers to their personal e-mail. Addresses on two different dates, money was withdrawn from the account. Of one of the relevant customers with false documents, and data was leaked. Concretely, three other different customers were involved in the investigation. The customer’s information (identity card, balance, identity, contact information, etc. Was also viewed unfounded by the same personnel, it was concluded that the personnel. Was instrumental in high-amount fraudulent acts by taking the data of at least 6. Customers out of the bank and that it was highly probable that they benefited from it.
The number of people affected
The violation is 6 (six) and the number of records is 24 (twenty-four), As a result of the violation, the Buy Bulk SMS Service employment contract with the Bank was terminated due to the irregular actions of the personnel, and a criminal complaint was filed to the Prosecutor’s Office for fraud and embezzlement crimes against the personnel and all persons involved in the incident, In this context, transactions are made from customers’ accounts without their knowledge and customer losses occur, and all losses of customers are compensated by the Bank. As a result of the review of these violation notifications by the Board’s Decision dated 26/11/2019 and numbered 2019/352; Although it is stated that there is a Data Leak Detection/Prevention System regarding e-mails sent by employees outside the Bank.
There is a personal data leak from
The corporate e-mail that caused the B2C Lead violation in question and the measures taken are not sufficient to prevent this violation, The bank stated as a technical precaution that “If e-mails containing credit card numbers are intended to be sent outside the Bank, if the number of cards is above a certain number, this e-mail is quarantined and cannot be sent”, and that the measure is at a level that can be easily overcome by malicious people regarding such violations, Identity card, balance, ID, contact, credit card number, etc. of persons affected by the breach. information was leaked and fake documents were prepared using this information, thus facilitating high-amount fraud activities, The specified measures do not prevent large amounts of money withdrawals and issuance of false documents without the customer’s knowledge.
