It has been stated in the notification dated 08.05.2019 sent to the Data Protection Authority (“Authority”) by Microsoft Corporation, as being a data controller, that:
- Identification information of call support manager, working at one of Microsoft’s service providers, is captured,
- Thus, outsiders having no ties with Microsoft had access to information at Microsoft users’ e-mail accounts,
- Relevant manager shared his/her account login information with his/her 13 support team members, which is against Microsoft Policy,
- Upon ascertainment of such breach, relevant account login information is cancelled,
- There are approximately 1.820 people in Turkey adversely affected from this breach,
- The relevant users may be exposed to phishing attacks since the breach concerns emails.
Although the necessary examination still continues, the Board concluded to announce this data breach at the Authority’s web site by its decision dated 10.05.2019 and numbered 2019/130.
The said decision attracts our attention in terms of concretely disclosing that the data controllers are not only liable with their own transactions and actions, but also with their data processors’ transactions and actions. Besides, the decision also emphasizes importance of trainings to be given to employees on data security and privacy.
Please let us know if you have any queries.