Data on the Arçelik BizBize mobile application and website, used by Arçelik for sales target campaigns of dealers and authorized services, were leaked. It was determined that Arçelik BizBize’s admin panel was accessed and personal data was seized by a cyber attacker in Germany. While the information of approximately 30 thousand people, consisting of authorized service and dealer employees, was obtained, there was no leakage of customer data.
What information was captured?
Identity (name, surname, TCKN, title, date of birth, gender), communication (e-mail address, GSM number), transaction security (LDAP (Lightweight directory access protocol) code (data retention and access verification) of authorized services and employees in the cyber attack is the code used for), user password, registration and update date, last login date, account activity status, device model, version and operating system information, application version information, notification permission status), point earning and spending information of dealers and authorized service employees, Although there is no expertise, training, date of employment, personal information of the person concerned, the code, name and address of the dealer and store he was working with were seized.
It was stated that persons exposed to data leaks can get detailed information by filling out the form at https://privacyportal-eu.onetrust.com/webform/1ee6a6ce-9b09-49bd-b9e4-a3544706c63e/6361bf5f-8fd5-4af5-8c3a-6cd46cddca1b.
In addition to the data breach notification announcement in the KVKK, Arçelik made the following statement:
“It has become necessary to make a statement on the posts about accessing the personal data of some of our dealers and authorized service employees.
A cyber attack was carried out on an application used within our company. Access to our application originates from the system of a supplier serving many other companies and brands, and all necessary technical and legal measures have been taken. Protection of personal data and cyber security are among the top priorities of our company. The systems affected by the event do not include payment and financial information. Currently, there are no vulnerabilities related to access to personal data.”