The Turkish KVKK, the Personal Data Protection Authority, has released four official statements on recent data breaches that have affected a university, two luxury goods traders, and a logistics company. Criminals exposed employees’ and clients’ sensitive data. At the same time, malicious actors have targeted a Saudi-based major food manufacturer. The incident could potentially affect the food supply chain in the region.

Alarming news continues to emerge from the Gulf region, with reports of a major attack on Almarai, a leading Saudi food and beverage manufacturer. Almarai is a critical component of the region's food supply chain, and its revenue for 2024 amounted to SAR 21 billion (approximately $5.6 billion).

As a result of this attack, the attackers were able to exfiltrate sensitive corporate data and claimed to have persistent access to the company's systems. Preliminary reports indicate that customer and company records may have been exposed. This incident could have serious long-term implications, as the stolen data could be used for various criminal activities such as financial fraud, identity theft, and industrial espionage.

The public exposure of confidential information could endanger Almarai's customers and partners, potentially disrupting business operations. Preliminary stolen data includes:

• Full customer information (name and contacts);
• Customer financial and credit information (credit limit, payment mode);
• Commercial registration numbers and VAT registration details;
• Depot and service information.

The Almarai data breach serves as a reminder that criminals continue to target critical industries and companies, including those in the energy, healthcare, water treatment, and food sectors. Incidents in these areas can potentially affect not only the population of a specific state but also the entire region and put thousands at risk. It is important to emphasize that prioritizing information security is essential for companies like Almarai.

Starting from the beginning of June, several news came from the Turkish Personal Data Protection Authority. The regulator made four official statements on the recent data breaches. University, two luxury goods companies, and a transportation business fell victim to the attacks.

The first one on our list is the incident in the logistics industry. According to official statements, criminals gained access to a large amount of sensitive data from Manulaş Manisa Transportation Services and Machinery Industry and Trade Inc. The adversaries exposed more than 1 million records. The preliminary investigation suggests that the actual number of affected individuals may be significantly lower, as there are many duplicate records in the system. The set of exposed data includes:

• Full names,
• ID numbers,
• Address
• Occupation
• And health information.

Despite the lack of details, this data breach should be considered a significant incident, which resulted in the gaining of illicit access to sensitive records in large numbers, including highly confidential health data.

The list of affected parties continues with two luxury goods companies, which also fell victim to criminals. Incidents with TCO Turkey Jewelry Trading Ltd., a subsidiary of US-based Tiffany and Co., and Richemont Istanbul Luxury Goods were detected at the start of June. Information about the number of affected persons in the case of TCO Turkey Jewelry is still unknown. However, officials claim that employees’ names, contacts, and credentials were exposed. It’s unclear if the customer’s personal data was exfiltrated.

In contrast, the Richemont Istanbul Luxury Goods data breach resulted in the exposure of customers records. Criminals accessed an employee's account and used it to gain access to internal files. The number of affected individuals should not exceed 26 thousand customers. As a result of the incident, malicious actors managed to exfiltrate only the following records:

• Names,
• E-mails,
• ID numbers
• And date of birth.

Luxury goods companies are prime targets for malicious actors, as they possess highly valuable customer information. Due to the sensitive nature of clients’ records, it’s safe to assume that adversaries will continue to target companies from the premium segment.

And the last name on the list of victims is Istanbul Gedik University. According to an official statement from KVKK, criminals have breached the university's systems and gained access to students' and employees' data. Malicious actors have exposed more than 200,000 records on 23,269 individuals.

The security team at Gedik University has implemented several protective measures to help mitigate the consequences of this breach. As a result of the attack, the intruders exfiltrated the following data:

• Masked names (only the last four digits are visible),
• ID numbers,
• E-mails,
• And some of the internal data.

This incident is just one in a series of cyberattacks targeting the Turkish education sector. In February, two universities were targeted, and in March, criminals gained access to data from a university's mobile application. Educational organizations are a primary target for cybercriminals because they store and process vast amounts of data on applicants, students, and employees.

Nowadays, information security is an absolute essence for business & public bodies, including SMEs. While large enterprises can enjoy the benefits of solid budgets and stable funding, growing firms and companies have to be innovative and flexible in ensuring cost-effective and reliable protection against multiple threats.

SearchInform has developed Managed Security Service (MSS) especially for small and medium businesses. The service is a tailor-made answer to security challenges for companies with limited budget allocations and finite access to qualified security experts on the job market. Managed security services provide 360-degree protection against data leaks and safeguards from internal threats, like fraud and kickbacks.

 Start your free 30-day trial now and conduct a security audit in your organization today.