On July 18, 2024, the Personal Data Protection Authority (KVKK) disclosed a significant data breach involving Güneş Ekspres Havacılık A.Ş., also known as SunExpress. The breach, which occurred on July 15, 2024, was reported to KVKK by SunExpress as required under Article 12(5) of the Law on Protection of Personal Data No. 6698. This notification was crucial in complying with legal obligations related to data protection and transparency.
The breach was caused by a cyber attacker who gained unauthorized access to SunExpress’s campaign management platform using stolen login credentials from an administrator account. Once inside the platform, the attacker used this access to send phishing emails. The scale of the attack was substantial, with the attacker dispatching a total of 1,986,293 phishing emails to 596,659 unique email addresses.
The compromised data primarily includes email addresses belonging to employees, customers, and potential customers of SunExpress. The extensive reach of the phishing emails underscores the severity of the breach and highlights potential risks for those affected, including possible follow-up phishing attempts or other malicious activities.
SunExpress has taken the necessary steps to inform KVKK and is likely working on measures to address the breach and prevent future incidents. The incident underscores the importance of robust cybersecurity practices and the need for vigilance in protecting sensitive data from unauthorized access.
Reference:
