Changeflow GovPing Data Privacy & Cybersecurity KVKK Publishes Data Breach Notice for English T...
Priority review Notice Added Final

KVKK Publishes Data Breach Notice for English Time Eğitim Kurumları AŞ

Favicon for www.kvkk.gov.tr Turkey Personal Data Protection Authority
Published
Detected
Email

Summary

KVKK published a public data breach notice regarding English Time Eğitim Kurumları AŞ following Board Decision No. 2026/798 dated April 15, 2026. The breach began April 4, 2026 and was discovered April 12, 2026, after attackers gained unauthorized access to the company's CRM panel and used automated tools to extract data in bulk. Approximately 300,000 individuals were affected, including students (whose identity, contact, location, and transaction data were exposed) and other personnel (whose identity, contact, location, and employment records were compromised).

“Veri ihlalinden yaklaşık 300.000 kişinin etkilendiği bilgilerine yer verilmiştir.”

KVKK , verbatim from source
Why this matters

Educational institutions and any organization operating CRM systems holding personal data at scale should treat this as a concrete example of automated bulk-extraction risk. The attack vector — unauthorized CRM panel access combined with software-assisted data scraping — is a common pattern. Organizations should audit CRM access logs, enforce privileged access management, and ensure logging is sufficient to detect and reconstruct automated extraction attempts.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by KVKK on kvkk.gov.tr . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Turkey Personal Data Protection Authority for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.

View original document View source feed page

What changed

KVKK published a public notice pursuant to Article 12(5) of Law No. 6698 on Protection of Personal Data after English Time Eğitim Kurumları AŞ reported a data breach. The breach involved unauthorized access to the company's CRM panel, where attackers used software tools to automatically extract data in bulk. The KVKK Board determined the breach warranted public disclosure under Decision No. 2026/798.

Organizations operating CRM systems and holding large volumes of personal data should review access controls, implement multi-factor authentication, and deploy automated threat detection. The 300,000 affected individuals face risk of identity theft and fraud; educational institutions should advise affected parties to monitor for phishing attempts using exposed contact information.

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Yayınlanma Tarihi: 15 Nisan 2026, Çarşamba

Kamuoyu Duyurusu (Veri İhlali Bildirimi) – English Time Eğitim Kurumları AŞ

Bilindiği üzere, 6698 sayılı Kişisel Verilerin Korunması Kanununun “Veri güvenliğine ilişkin yükümlülükler” başlıklı 12 nci maddesinin (5) numaralı fıkrası “İşlenen kişisel verilerin kanuni olmayan yollarla başkaları tarafından elde edilmesi hâlinde, veri sorumlusu bu durumu en kısa sürede ilgilisine ve Kurula bildirir. Kurul, gerekmesi hâlinde bu durumu, kendi internet sitesinde ya da uygun göreceği başka bir yöntemle ilan edebilir.” hükmünü amirdir.

Veri sorumlusu sıfatını haiz English Time Eğitim Kurumları AŞ tarafından Kurula iletilen veri ihlal bildiriminde özetle;

  • İhlalin 04.04.2026 tarihinde başladığı ve 12.04.2026 tarihinde tespit edildiği,
  • Saldırganlar, CRM (Müşteri İlişkileri Yönetimi) paneline yetkisiz şekilde giriş yaptıktan sonra; sistemde bulunan kayıtlara, yazılım araçları yardımıyla otomatik olarak toplu bir şekilde erişerek verileri ele geçirdikleri,
  • İhlalden etkilenen ilgili kişi grubunun; çalışanlar, öğrenciler, kullanıcılar, aboneler ve müşteriler olduğu,
  • Veri ihlalinden etkilenen veri kategorisinin öğrenciler için; kimlik (ad soyad, doğum tarihi), iletişim (e-posta adresi, telefon no), lokasyon (adres bilgileri), ve müşteri işlem (kayıt tarihi, sözleşme ve ödeme bilgileri), diğerleri için; kimlik, iletişim, lokasyon, özlük verileri olduğu,
  • Veri ihlalinden yaklaşık 300.000 kişinin etkilendiği bilgilerine yer verilmiştir.

Konuya ilişkin inceleme devam etmekle birlikte, Kişisel Verileri Koruma Kurulunun 15.04.2026 tarih ve 2026/798 sayılı Kararı ile söz konusu veri ihlal bildiriminin Kurumun internet sitesinde ilan edilmesine karar verilmiştir.

Kamuoyuna saygıyla duyurulur.

##### Kişisel Verileri Koruma Uzman Yardımcısı Alımı Yazılı Sınav Duyurusu 10 Nisan 2026

##### Kişisel Verileri Koruma Kurumu ile Jandarma Genel Komutanlığı Arasında İş Birliği ve Bilgi Paylaşımı Protokolü İmzalandı 09 Nisan 2026

##### Ayın Tarihi’nde Dijital Egemenlik ve Veri Koruma Kültürü 09 Nisan 2026

##### KVKK ve Dijital Dünyada Veri Güvenliği Etkinliği Rize’de Gerçekleştirildi 22 Nisan 2026

##### “Finansal Okuryazarlıkta Güncel Gelişmeler” Konulu Çarşamba Semineri Düzenlendi 22 Nisan 2026

##### Kurumumuzun 10. Yılına Anlamlı Hatıra: KVKK Hatıra Ormanı 15 Nisan 2026

Named provisions

Article 12(5) - Data Security Obligations

Parties

English Time Eğitim Kurumları AŞ

Related changes

Favicon for www.kvkk.gov.tr Türk Nippon Sigorta A.Ş. Veri İhlali Bildirimi – 193 Kişi Etkilendi
Priority review Apr 23, 2026 Turkey Personal Data Protection Authority Data Privacy & Cybersecurity
Favicon for www.kvkk.gov.tr 34 Specialist Assistant Positions, Exam 2nd May
Routine Apr 23, 2026 Turkey Personal Data Protection Authority Data Privacy & Cybersecurity

Get daily alerts for Turkey Personal Data Protection Authority

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.kvkk.gov.tr
Turkey Personal Data Protection Authority kvkk.gov.tr/?_Dil=2
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from KVKK.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
KVKK
Published
April 15th, 2026
Instrument
Notice
Branch
Executive
Source language
tr
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Docket
2026/798

Who this affects

Applies to
Educational institutions Healthcare providers Employers
Industry sector
6111 Higher Education
Activity scope
Data breach notification CRM security incident Bulk personal data extraction
Geographic scope
TR TR

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
Cybersecurity Consumer Protection

Browse Categories

Agriculture & Food Safety 77 AI Regulation 3 Banking & Finance 482 Consumer Protection 118 Courts & Legal 436 Data Privacy & Cybersecurity 102 Defense & National Security 53 Education 64 Energy 101 Environment 169 Gaming 2 Government & Legislation 461 Healthcare 15 Healthcare & Life Sciences 393 Immigration 10 Insurance 86 Labor & Employment 159 Pharma & Drug Safety 21 Professional Licensing 8 Real Estate & Housing 85 Securities & Markets 177 Tax 84 Telecom & Technology 48 Trade & Sanctions 144 Transportation 94

Get alerts for this source

We'll email you when Turkey Personal Data Protection Authority publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!