The Turkish Personal Data Protection Authority (KVKK) fined Facebook today 1.65 million Turkish lira ($270,000) for an API bug that exposed personal photos of 300,000 Turkish users.
The fine is in relation to a security incident that Facebook disclosed in December 2018.
At the time, Facebook said that a bug in the Photo API might have exposed the non-public photos of 6.8 million users to around 1,500 apps built by 876 developers.
The bug was present in Facebook’s code from September 13 to September 25, 2018, and Facebook said it found no evidence of abuse.
But in a press release today, the KVKK said it decided to fine the US-based social network for failing to react in a timely manner and fix the bug, but also for neglecting to notify Turkish authorities of the incident.
The 1.65 million Turkish lira fine is 1 million for failure to fix the bug in time, and the rest is for failing to notify the KVKK of the API bug’s impact on Turkish users.
Turkey also investigating Facebook for September 2018 breach
However, today’s fine isn’t Facebook’s last interaction with the KVKK, which is also investigating the company for its September 2018 data breach, when it publicly disclosed a severe incident during which unknown attackers exploited three bugs to steal the personal details of 50 million users –later adjusted to 30 million.
In March, Turkish media reported that Facebook had filed an extensive 30-page response to the KVKK’s investigation into its September 2018 security incident.
That case is still pending, but Facebook may soon face another investigation from the KVKK in the meantime.
In March, Facebook disclosed yet another security incident, admitting to storing hundreds of millions of users’ passwords in plaintext, along with plaintext passwords for millions of Instagram accounts.
Microsoft under investigation as well
Also today –in related data breach news– the KVKK announced it also started an investigation into Microsoft‘s recently disclosed security breach.
Last month, the OS maker said hackers compromised a Microsoft support agent’s account, which they used to view information about some users’ accounts, such as e-mail addresses, folder names, the subject lines of e-mails, names of correspondents, and some emails’ contents.
The KVKK believes some Turkish users were impacted.
More data breach coverage: