On April 3, 2024, the Personal Data Protection Authority (KVKK) disclosed a data breach involving Yamaha Motor Europe N.V. (Yamaha Motor Europe). The KVKK highlighted that Yamaha Motor Europe promptly notified them of the breach, as required by Article 12(5) of the Law on Protection of Personal Data No. 6698.

According to Yamaha Motor Europe's notification, the breach was detected on March 26, 2024, by an independent cybersecurity researcher who identified a security vulnerability in Yamaha Motor Europe's customer registration management (CRM) system. While the exact start date of the breach remains unclear, Yamaha Motor Europe noted it might have been initiated in 2019.

The security vulnerability stemmed from a misconfiguration in the customer portal operating on the CRM system, enabling any registered user to access other users' personal data. It is presumed all customer records added to the CRM system before 2021 were affected.

Approximately 35,988 individuals from Turkey are estimated to have been impacted by the breach, including customers and potential customers, with compromised personal data such as name, surname, gender, email address, (internal) customer number data, and, for a limited number of individuals, postal address and telephone number data.

You can read the press release here, only available in Turkish.