Turkey: KVKK announces Hotiç Ayakkabı data breach
On September 7, 2023, the Personal Data Protection Authority (KVKK) announced a data breach that occurred within Hotiç Ayakkabı San. ve Tic. A.Ş.. In particular, the KVKK highlighted that Hotiç Ayakkabı notified the KVKK of a data breach in accordance with Article 12(5) of the Law on Protection of Personal Data No. 6698. Moreover, the KVKK noted that, according to the breach notification, Hotiç Ayakkabı had received service from a data processor regarding the permission management platform which was created by the data controller for SMS and email sending. However, unauthorized persons attempted to log in to the account assigned to the data controller on this platform on June 6, 2023, and customers' mobile phone information was accessed. Through this, the unauthorized persons sent text messages containing content targeting a phishing attack to the relevant individuals. Hotiç Ayakkabı was notified of the data breach through its employees since its employees were also included in said text message-sending groups.
In addition, the KVKK emphasized that the number of people and records affected by the violation is 1,926,889 and that the personal data affected by the breach includes the mobile phone information of the customers.
You can read the press release, only available in Turkish, here.