Criminal

Cybercrime in Turkey: Law, Penalties, and Cybersecurity Strategies

18 September 202410 min read
Reviewed by Lexin Legal · Updated 14 June 2026

Cybercrime in Turkey is prosecuted mainly under the Turkish Penal Code (TCK No. 5237, Articles 243 to 246) for offences against information systems, and under the Personal Data Protection Law (KVKK No. 6698) when personal data is involved. This guide explains the offences, the penalties, the deadlines that catch businesses out, and the practical steps foreigners and foreign companies can take to protect themselves or recover after an attack.

The Cybercrime Landscape in Turkey

Turkey is one of the most heavily connected markets in the region, and that exposure has made it a frequent target. Foreign investors, expat residents, and international companies are often singled out, partly because they may be less familiar with local reporting channels and Turkish-language fraud warnings.

The incidents most commonly seen in practice are:

  • Phishing and social engineering — fake bank emails, SMS (smishing), and cloned login pages used to steal credentials.
  • Account takeover and payment-card fraud — unauthorised transfers, cloned cards, and misuse of online banking.
  • Ransomware and extortion — encryption of company systems followed by a payment demand.
  • Data breaches — theft or leakage of customer, employee, or patient records.
  • Business email compromise (BEC) — fraudulent invoices and redirected wire transfers, a recurring problem in cross-border trade.
  • Identity theft — misuse of passport, tax (vergi) number, or residence-permit data.

Which category an incident falls into matters, because each one maps to a different provision of Turkish law and a different remedy. A redirected supplier payment, for example, is usually treated as fraud under Turkish law committed through a computer, while encrypting a company's servers is a system-interference offence.

How Turkish Law Classifies Cybercrime

Turkish law splits cyber offences into two groups. Direct cybercrimes are committed against information systems themselves and are set out in the Turkish Penal Code (Türk Ceza Kanunu, Law No. 5237). Indirect cybercrimes are ordinary offences — fraud, threats, blackmail — that merely use technology as the tool.

The law: The core information-systems offences sit in TCK Articles 243 to 246, with a separate provision, Article 245/A, aimed squarely at hacking tools and malware. Personal-data crimes are in Articles 135 to 140.

Information-Systems Offences (TCK Articles 243-246)

  • Article 243 — Unauthorised access. Entering another person's system without authorisation, or staying in it, is punishable by imprisonment of up to one year or a judicial fine. The penalty increases where the target is a banking or financial system.
  • Article 244 — System interference and data alteration. Disrupting a system's operation, or destroying, altering, or rendering data inaccessible, is punished more heavily, and the penalty is increased where the target belongs to a bank, credit institution, or public body. Ransomware and sabotage typically fall here.
  • Article 245 — Misuse of bank or credit cards. Using another person's card or card data carries three to six years' imprisonment plus a judicial fine; producing or selling counterfeit cards carries three to seven years, and using a counterfeit card four to eight years.
  • Article 245/A — Forbidden devices and programs. Producing, importing, selling, or merely possessing a device, program, password, or security code designed to commit these offences is punishable by one to three years' imprisonment plus a judicial fine of up to five thousand days. This is the provision most directly aimed at malware and hacking toolkits.
  • Article 246 — Security measures for legal entities. Where these offences benefit a company, specific security measures (güvenlik tedbirleri) can be imposed on the legal entity itself, separate from any individual liability.

Personal-Data Offences (TCK Articles 135-140)

Unlawfully recording personal data (Art. 135), unlawfully obtaining or disclosing it (Art. 136), and failing to destroy data when the law requires (Art. 138, one to two years' imprisonment) are distinct crimes. These provisions run alongside the data-protection regime described below, which is why one breach can produce criminal and regulatory consequences at the same time.

For company directors, Article 246 and the broader question of when a manager is personally exposed are explored in our note on directors' criminal liability in Turkish law.

Cyber Offences at a Glance: Article, Penalty, and Who to Notify

This table is a quick orientation, not legal advice; the applicable penalty depends on the facts, any aggravating circumstances, and prior convictions.

IncidentMain provisionTypical penaltyWho to involve
Hacking / unauthorised accessTCK Art. 243Up to 1 year, or a judicial fineProsecutor / cybercrime police
Ransomware, sabotage, data wipingTCK Art. 244Imprisonment, increased for bank/public targetsProsecutor; KVKK if data exposed
Card / online-banking fraudTCK Art. 2453-6 years (counterfeit-card use 4-8 years)Prosecutor; your bank
Malware / hacking toolsTCK Art. 245/A1-3 years + judicial fineProsecutor
Leak of personal dataTCK Arts. 135-138 + KVKKImprisonment + administrative fineKVKK + prosecutor
Phishing / BEC (redirected payment)Fraud, TCK Art. 157-158Imprisonment + judicial fineProsecutor; your bank

Data Protection: KVKK Law No. 6698

Turkey's Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu, Law No. 6698, "KVKK") is aligned with, but not identical to, the EU GDPR — the lawful bases, the heavy emphasis on explicit consent, and the new transfer rules all diverge in places. It is not a criminal statute, but a breach usually triggers parallel exposure: administrative fines from the Data Protection Authority (Kişisel Verileri Koruma Kurumu), criminal liability under TCK Articles 135-140, and civil compensation claims.

The law: A single data breach can run on three tracks at once — an administrative fine under KVKK No. 6698, a criminal offence under the Penal Code (TCK No. 5237), and a civil compensation claim under the Code of Obligations (Türk Borçlar Kanunu, No. 6098). Treat every incident as a multi-track event from day one.

Core obligations for any business handling personal data in Turkey include:

  • Registering with VERBİS where required and identifying a lawful basis for each processing activity.
  • Implementing appropriate technical and organisational security measures.
  • Notifying the Authority and affected individuals of a breach (see the deadline below).
  • Erasing, destroying, or anonymising data once the lawful retention period ends.
Watch the deadline: You must notify the Data Protection Board of a personal-data breach within 72 hours of becoming aware of it (Board Decision No. 2019/10, interpreting the "as soon as possible" wording of KVKK Art. 12(5)), and notify affected individuals within a reasonable time. Missing the 72-hour window is itself a separate ground for a fine.

Fines are substantial. For 2026, following the 25.49% revaluation rate, the penalty for failing to take adequate data-security measures runs from roughly TRY 256,357 to TRY 17,092,242. Strong documentation of your KVKK measures is often decisive in keeping a fine at the lower end. The interaction between data-protection fines and financial-sector penalties is covered in our guide to fintech administrative and criminal liability.

Cross-Border Data Transfers: The 2024 Reform Foreign Companies Must Know

For a foreign company, the most consequential KVKK topic is moving Turkish personal data abroad — to a parent, a cloud provider, or a group HR system. This was rebuilt by Law No. 7499, which overhauled KVKK Article 9 and took effect in mid-2024. It replaced the old reliance on case-by-case explicit consent with a structured, GDPR-style hierarchy.

  • Adequacy decision. Transfers to a country (or sector/organisation) the Board has declared adequate may proceed without further safeguards.
  • Appropriate safeguards. Absent an adequacy decision, you may transfer using a Board-approved standard contract, binding corporate rules for a corporate group, or another recognised safeguard.
  • Derogations. In limited, defined cases (for example, explicit consent for a one-off transfer or performance of a contract), a transfer can rely on a derogation.
Watch the deadline: If you rely on a standard contract, you must notify the Data Protection Authority within five business days of signing it. Failure to file on time is, in practice, one of the most common triggers for a penalty since the reform.

KVKK also has extraterritorial reach: a controller outside Turkey that processes the personal data of people in Turkey can fall within the law. Getting the transfer mechanism and the vendor contracts right at the outset is far cheaper than fixing them after a complaint — our team handles this together with the data-processing and vendor security clauses that sit behind every cross-border data flow.

Internet, Evidence, and Cybersecurity Laws You Should Know

Several further statutes shape how cybercrime and online harm are handled in Turkey:

  • Law No. 5651 on internet publications governs content removal, blocking, and the liability of hosting and access providers — relevant to defamation, leaked content, and takedown requests.
  • Criminal Procedure Code (Ceza Muhakemesi Kanunu, Law No. 5271) sets out how digital evidence is seized, examined, and preserved, and how a victim files a criminal complaint (şikâyet).
  • Cybersecurity Law No. 7545, in force since 19 March 2025, created a national framework with duties for operators in critical sectors — finance, healthcare, energy, telecommunications — overseen by the Cybersecurity Directorate (Siber Güvenlik Başkanlığı), which holds audit and enforcement powers. Whether and how it applies turns on your sector and activities.
  • Code of Obligations (Law No. 6098) grounds compensation claims arising from negligent data handling or breach of contractual security commitments.

Because these regimes overlap, the right strategy depends on whether you are the victim seeking redress or a business managing its own liability after an incident.

What to Do If You Are a Victim of Cybercrime

Acting quickly preserves both evidence and your legal options. Practical first steps:

  1. Secure your accounts. Change passwords, enable two-factor authentication, and tell your bank immediately — banks can sometimes recall or freeze a fraudulent transfer if you act within hours, especially in BEC and card-fraud cases.
  2. Preserve evidence. Take screenshots, save emails with their full headers, and record transaction references and timestamps. Do not delete anything.
  3. File a criminal complaint. A şikâyet can be lodged with the Public Prosecutor's Office (Cumhuriyet Başsavcılığı) or the police cybercrime unit. The prosecutor can order banks, platforms, and providers to hand over data. Note that some offences are prosecuted automatically (ex officio) while others depend on a timely complaint, so do not delay.
  4. Notify the Data Protection Authority if personal data has been exposed.
  5. Pursue civil recovery. Beyond the criminal track, you can sue the responsible party for compensation under Law No. 6098, and enforce any judgment through Turkish enforcement proceedings.
Tip: The criminal complaint and the civil claim are separate tracks and can run in parallel. A criminal conviction is helpful evidence in the civil case, but you do not have to wait for it to start recovering money.

Foreigners can pursue all of these remedies in Turkey and are entitled to an interpreter. A lawyer can file and follow the complaint under a power of attorney, so you need not remain in the country. Where the loss is a redirected payment or an unpaid debt, our team for recovering funds and enforcing judgments can pursue the money alongside the criminal complaint.

Cybersecurity Strategies for Businesses Operating in Turkey

Prevention is far cheaper than litigation. Companies with operations or customers in Turkey should build a defensible compliance and security posture:

  • Map and minimise data. Know what personal and financial data you hold, where it sits, and how long you keep it.
  • Harden access. Enforce strong authentication, least-privilege access, and segregation of critical systems.
  • Train staff. Most breaches start with a click; regular phishing and BEC awareness training materially reduces risk.
  • Prepare an incident-response plan. Decide in advance who declares an incident, who notifies the Authority within 72 hours, and who calls counsel — before an incident, not during one.
  • Contract carefully. Allocate security and breach-notification duties clearly with vendors and processors, and confirm your cross-border transfer mechanism is documented.
  • Document compliance. Keep records of your KVKK measures; documentation is often decisive in reducing administrative fines.

Where these offences could benefit the company, Article 246 security measures and director exposure make this a board-level issue — we handle it as part of corporate compliance and director duties. For sectors covered by Cybersecurity Law No. 7545, additional obligations apply and should be assessed individually.

We advise foreign individuals and companies on both sides of cyber incidents: defending people accused of information-systems offences, and helping victims recover losses and pursue offenders. Our work covers criminal complaints, digital evidence, KVKK compliance and breach response, cross-border transfer structuring, and related civil claims, all handled in English. Where someone is accused of a hacking or card-misuse offence, our Turkish criminal defense lawyers conduct the defence.

Every matter is reviewed by a qualified Turkish lawyer. This article is general information, not legal advice, and outcomes depend on the specific facts of each case. To discuss your situation, get in touch with our team.

Frequently asked questions

Is hacking a criminal offence in Turkey?

Yes. Unauthorised access to an information system is a crime under Article 243 of the Turkish Penal Code (Law No. 5237), punishable by up to one year's imprisonment or a judicial fine, with heavier penalties where banking or financial systems are targeted. Interfering with a system or altering data is separately punished under Article 244, and producing or possessing hacking tools is an offence under Article 245/A.

What are the penalties for card fraud and using malware in Turkey?

Under TCK Article 245, using another person's bank or credit card carries three to six years' imprisonment plus a judicial fine, producing or selling counterfeit cards three to seven years, and using a counterfeit card four to eight years. Producing or possessing devices or programs designed to commit cybercrime is punishable under Article 245/A by one to three years plus a fine of up to five thousand days.

How long do I have to report a data breach in Turkey?

You must notify the Personal Data Protection Board within 72 hours of becoming aware of a personal-data breach, under Board Decision No. 2019/10 interpreting KVKK Article 12(5). Affected individuals must be notified within a reasonable time. Missing the 72-hour deadline is itself a separate ground for an administrative fine, which for 2026 can run into the millions of Turkish lira for security failures.

Can a foreigner report cybercrime to the Turkish police?

Yes. Foreigners can file a criminal complaint (şikâyet) with the Public Prosecutor's Office or the police cybercrime unit and are entitled to an interpreter. A Turkish lawyer can file and follow the complaint under a power of attorney, so you do not need to stay in Turkey throughout the process, and you can pursue a civil compensation claim in parallel.

Can foreign companies still transfer Turkish personal data abroad?

Yes, but the rules changed in 2024. Law No. 7499 amended KVKK Article 9 to require an adequacy decision, an appropriate safeguard such as a Board-approved standard contract or binding corporate rules, or a recognised derogation. If you rely on a standard contract, you must notify the Data Protection Authority within five business days of signing it.

Does the Cybersecurity Law No. 7545 apply to my business?

It has been in force since 19 March 2025 and imposes duties on operators in critical sectors such as finance, healthcare, energy, and telecommunications, supervised by the Cybersecurity Directorate. Whether it applies to you depends on your sector and activities, so it should be assessed case by case with a Turkish lawyer.

Need a lawyer for this?We handle criminal defense for foreigners, end to end, in English, on a fixed fee.
Criminal Defense

Related articles

Fraud Crime in Turkish LawTurkey's Fintech Sanctions & LiabilityLiabilities of Company Executives
Let's begin

Speak to a Turkish lawyer who speaks your language.

Tell us your commercial, corporate or personal matter and get a clear, fixed-fee answer from a real Turkish lawyer — usually within one business day.

★★★★★ 4.9 from 60 Google reviews · Recognised on Mondaq, Clutch & Trustpilot
Book a consultation WhatsApp us or email info@lexinlegal.com
WhatsApp us
A real lawyer replies — usually within a day
WhatsAppEmailBook a consultation