Turkish DPA fines Facebook $271K for huge data breach

Turkish DPA fines Facebook $271K for huge data breach

Stay on top of the GDPR!

Does your company website comply with ePrivacy and GDPR?
Book a meeting with our compliance experts and let's have a brief chat about how to make your company website GDPR compliant.


A huge data breach exposes millions of Facebook users’ personal photos. Tech giant Facebook faces another fine for not handling the data breach in timely manner.

Turkey’s Personal Data Protection Authority (KVKK) announced Friday (May 10th) it has fined American social media giant Facebook a total of 1.65 million lira ($271.000) due to a large-scale data breach.

The decision was taken after a photo application programming interface bug allowed third-party applications to access photos of more than 6.8 million Facebook users.

The KVKK estimates that more than 300.000 Turkish Facebook users have been affected by the breach. Moreover, the KVKK states that the API bug occurred for 12 days in September 2018.

Facebook stands accused of not intervening in time which shows there were deficiencies in technical precaution regarding the issue. Facebook never made any statements about the personal data breach, which is an absolute violation of Turkish Data Protection Law article 12(5).

The KVKK said it decided to fine US-based social network for failing to fix the bug in time, but also for neglecting to notify Turkish authorities of the incident.

Facebook also investigated for other data breaches

However, the incident is not Facebook’s only clash with Turkish data protection authorities. Facebook is also investigated for another September 2018 data breach in which unknown attackers exploited three bugs stealing personal details of 50 million users (adjusted to 30 million).

This case is still pending, but Facebook may soon face another investigation from the KVKK.

In March 2019, Facebook disclosed yet another security incident, admitting to storing hundreds of millions of users’ passwords in plaintext.

Turkish DPA fines Facebook for data breach

Image source: LinkedIn - Serhat Turan – thread here

Safeguarding user data is essential to brand trust

Taking measurements to protecting your website users’ personal data is imperative to maintaining trust in your company brand. Moreover, a solid data protection strategy and privacy policy will be your ultimate shield against investigations from Data Protection Authorities.

Are you looking to becoming or maintaining compliance for your website company, check our product catalogue. Cookie Information provides ePrivacy and GDPR valid consent solutions for your websites and Mobile Apps, so you won’t have to worry about data breaches.

Link: Cookie Information’s Consent Solution

Link: Cookie Information’s Compliance Dashboard

Become GDPR cookie compliant

Become GDPR cookie compliant today. Book a meeting with our compliance experts.



Press release from Turkish Data Protection Authorities on Facebook data breach (in Turkish)

IAPP news article on Facebook’s Turkish data breach

September 2018 data breach – Zdnett.com

Facebook keeps passwords in plaintext – zdnet.com