On 15 February 2022, the Turkish Personal Data Protection Authority (“DPA“) published a public announcement regarding technical and organizational measures to be taken by data controllers, following the increase in data breaches due to the publishing of data subjects’ username and password information on publicly available websites. In the announcement, the DPA lists various technical and organizational measures and recommends that data controllers take appropriate measures for their operations. You may access the announcement here (in Turkish).
What does the announcement say?
From the recent data breach notifications, the DPA have identified that the credentials (usernames and passwords) data subjects use to log in to the websites of data controllers operating in the finance, e-commerce, social media and gaming sectors are being published on different websites. Accordingly, the data subjects’ credentials are being used to unlawfully access their personal data, and such data are offered for sale and remarked as data sets.
The DPA has stated that pursuant to Article 12 of the Personal Data Protection Law, data controllers are obliged to take the necessary organizational and technical measures to ensure the appropriate level of security for the protection of personal data. In this context, the DPA has pointed out that the violations in hand were caused by a lack of technical and organizational measures and recommended that data controllers take the following measures to prevent unauthorized access to personal data:
- Establishing two-stage authentication systems and presenting them as an alternative security measure
- Sending login information to the data subjects’ contact address via email or text message, in cases where users log in to their accounts from different devices
- Using HTTPS or another tool with the same security level
- Using secure and up-to-date hashing algorithms
- Limiting the number of unsuccessful login attempts from the IP address
- Ensuring that data subjects can view information about at least five successful and unsuccessful log in attempts
- Reminding the data subjects that the same password should not be used on more than one platform
- Creating a password policy
- Ensuring that passwords are changed periodically or reminding data subjects to do this, and preventing new passwords from being the same as old passwords (at least, the last three passwords)
- Using technologies such as security codes (CAPTCHA, four processes, etc.) that distinguish computer and human behavior during logins
- Limiting IP addresses that are allowed to be accessed
- Ensuring that passwords entered into the systems contain at least 10 characters, upper and lower case letters, numbers and special characters
- Updating and controlling systems regularly, if third-party software or services are being used to log in to the systems
From a data security perspective, it is important for data subjects and data controllers that data controllers take these measures, complying with Article 12 of the Personal Data Protection Law. Data controllers should review the measures and implement the ones that are appropriate for them.