This once, Personal Data Protection Authority ("Authority") has the technology giants on its agenda. Facebook, lately being challenged by the administrative authorities of many countries, got caught by the radar of Personal Data Protection Board ("Board"). The Board imposed a significant amount of administrative fine to Facebook as an implication of its serious stance against notification of data breaches and the precaution requirements. At the same time another tech giant, Microsoft Corporation ("Microsoft") was knocking on the Board's door, for the notification of the data breach it experienced. In this article, we will provide the details on both the Facebook decision as well as Microsoft data breach.

Your Facebook photos are in danger!

The data breach announced by Facebook's Engineering Director Tomer Bar in December 2018 cost Facebook dearly. The Board considered the API bug which allowed third parties to access Facebook users' photos and have affected 6.8 million users and 1500 applications as a violation of data privacy/confidentiality. After finding out about the violation, the Board initiated an ex officio investigation and ruled that:

  • The fact that the software bug in question lasted for 12 days and that Facebook was not able to respond timely indicates that the company has failed to take the necessary technical and administrative precautions;
  • While the access permission granted shall only cover photos posted on users' timeline, it also covered non-public photos posted on Marketplace, Facebook Stories and ones saved as draft and not yet published which is a violation of the principles of lawfulness and conformity with rules of bona fides and being relevant with, limited to and proportionate to the purposes for which they are processed;
  • The trouble Facebook had with controlling the data flow in its own platform constitutes a violation of its liabilities with regards to data security;
  • The application is programmed in a way that the permission to access users' friends' information, and other information is a requirement for subscription and which is not in conformity with the concept of explicit consent and is a violation of the principle of lawfulness and conformity with rules of bona fides; and
  • Approximately 300,000 users in Turkey might be affected from this data breach.

In the Board decision, an administrative fine of 1,100,000 TRY was rendered on the grounds that the case in question constitutes a data breach and Facebook has not taken necessary technical and administrative precautions for preventing it. In addition, Facebook received another fine worth 550,000 TRY for the late notification of data subjects (3 months following the breach) and for not notifying the Board at all. Data controllers are obliged to notify the Board within 72 hours after learning about a breach and to notify the data subjects in the shortest time possible. A point worth mentioning here is that both decisions were taken unanimously by the Board.

Who has access to your Microsoft e-mails?

On a notification dated 08.05.2019 by Microsoft Corporation ("Microsoft"), it was reported to the Authority that the credentials of a call support manager working at Microsoft's service provider was captured. The Authority elaborated on the scope of the breach in the announcement published on its website.

It is presumed that the manager whose credentials has been captured shared his account access information with 13 support representatives in defiance of the company policy and that the breach occurred as a result of a phishing activity targeting one of such representatives. Although the relevant account's log in access was terminated after the determination of the breach, it was reported that third parties were able to access address, file name, subject line and the other contact e-mail address information during the breach.

As it is estimated that there are 1820 data subjects in Turkey, it was underlined that a few of such data subjects might have experienced an unauthorized access to also the content and appendix of their e-mails. It was emphasized that the users became vulnerable to phishing attacks considering that their e-mail addresses had been captured within the scope of the breach.

As a result,

Closely following the recent developments in its field, the Board used the Facebook decision as a reminder to data controllers of their responsibilities in relation to technical and administrative precautions and data breach notifications.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.