Data Breaches in Turkey & Enforcement Push in Nigeria
04.09.2025

Recent incidents in Turkey affected individuals whose personal data was leaked or even sold online. Meanwhile, Nigeria’s data protection authority has launched its largest investigation to date, targeting more than 1,300 organizations across high-risk sectors.

Without further delay, let’s get to the main story. The Turkish data protection authority (KVKK) recently published several announcements about security incidents.

The first case involves Board by Board, an HR service provider for job seekers. According to the official report, the incident was caused by a system misconfiguration during the rollout of a new feature. This error exposed résumé data belonging to 3,168 users. The scope of the leaked information varied depending on what individuals had included in their CVs. While some resumes contained only basic details such as first and last name, others included contact information, employment history, education records, photos, or other sensitive data.

The second case concerns the Turkish Medical Association. In August 2025, the Association’s systems were targeted by unknown attackers. The cyberattack resulted in the deletion of records related to both members and employees. Preliminary findings suggest that more than 100,000 individuals may have been affected. The compromised data included:

  • National ID numbers
  • Contact details
  • Location information
  • Other sensitive records

The third incident involved Biletal İç ve Dış Ticaret A.Ş., a trading company. Approximately 7,800 customers were affected. The exposed data included:

  • National ID numbers
  • Contact details
  • Customer transaction history

Investigators confirmed that the stolen data was lateroffered for sale on illegal platforms.

These cases serve as a reminder that strong security practices, continuous monitoring, and strict compliance with data protection laws are essential to safeguard both organizations and the people who trust them with their data.

The Nigeria Data Protection Commission (NDPC) has announced its largest enforcement campaign to date under the Nigeria Data Protection Act (NDPA) of 2023. The regulator is investigating 1,369 companies suspected of violating data privacy regulations as part of a broader, sector-by-sector inspection effort.

Organizations that received notices are required to prove compliance with the NDPA within 21 days or risk sanctions. The list of companies under scrutiny includes:

  • 795 financial institutions,
  • 392 insurance brokers,
  • 192 gaming companies,
  • 35 insurance companies,
  • 10 pension firms.

According to Nigerian experts, the next wave of investigations is likely to focus on other high-risk sectors that process large volumes of personal and sensitive data, including:

  • Aviation,
  • Telecommunications,
  • E-commerce,
  • Healthcare.

Babatunde Bamigboye, Head of Legal, Enforcement, and Regulations at the NDPC, emphasized:

“Failure to comply with the compliance notice may result in enforcement actions, including enforcement orders, administrative fines, and/or criminal prosecution in accordance with the NDPA.”

The notices require organizations to provide:

  • Evidence of filing their 2024 NDPA compliance audit returns;
  • Proof of appointing a Data Protection Officer (DPO);
  • A summary of their technical and organizational measures for data protection;
  • Evidence of registration as a Data Controller or Data Processor of Major Importance.

Compliance can be a challenging task for both public organizations and private businesses. However, most regulators have now begun active enforcement campaigns following initial grace periods. Failure to comply may result in legal action and substantial fines.

The SearchInform team helps businesses navigate compliance requirements by offering advanced investigation tools that support local languages and powerful protective capabilities with built-in reporting templates. Our Next-Gen Data Loss Prevention (DLP) system, Risk Monitor, not only provides effective protection against accidental and intentional data leaks but also simplifies compliance reporting.

In addition, the Next-Gen DLP solution protects organizations against corporate fraud. All of these capabilities are integrated into a single, unified platform.


Letter Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyber incidents.