Introduction
Data deletion, data alteration and system interference crimes are among the most serious cybercrime offences under Turkish law. In a digital economy where companies, public institutions and individuals rely on electronic systems for communication, finance, logistics, healthcare, banking, e-commerce, legal services and public administration, any interference with data or system functionality may cause severe harm.
A cyber incident may paralyze a company’s operations, destroy customer records, block access to critical information, alter accounting data, transfer trade secrets, manipulate banking systems, damage public services or expose personal data. For this reason, Turkish law does not treat these acts as ordinary technical problems. They are criminal offences when the statutory conditions are met.
The main legal provision is Article 244 of the Turkish Penal Code No. 5237, titled in practice as preventing or disrupting the functioning of an information system and deleting, altering, corrupting or making data inaccessible. Under Article 244, preventing or disrupting the functioning of an information system is punishable by imprisonment from one to five years; damaging, destroying, altering, making inaccessible, inserting or transferring data is punishable by imprisonment from six months to three years; penalties are increased by half if the offence targets the information systems of banks, credit institutions or public institutions; and where unjust benefit is obtained without constituting another offence, imprisonment from two to six years and a judicial fine up to five thousand days may apply.
This article provides a detailed English legal guide to data deletion, data alteration and system interference crimes under Turkish law. It explains the offence structure, legal elements, penalties, practical examples, digital evidence, victim rights, corporate responsibilities, personal data implications and defence strategies.
1. Legal Framework of Turkish Penal Code Article 244
Article 244 is one of the core provisions of Turkish cybercrime law. While Article 243 of the Turkish Penal Code mainly concerns unlawful access to information systems, Article 244 focuses on more harmful conduct: interference with system functionality and interference with data.
The law separates two main categories. The first category is preventing or disrupting the functioning of an information system. This covers acts that affect the normal operation of a system. A denial-of-service attack, ransomware that blocks system operation, deliberate shutdown of a server, manipulation of software functionality or disabling of a company’s digital infrastructure may fall within this category.
The second category is interference with data. This includes damaging, destroying, altering or making data inaccessible, inserting new data into a system or transferring existing data to another place. This wording is broad and covers many cyber incidents, from deleting files and changing database records to copying customer lists or moving digital assets to another system.
Article 244 is important because it criminalizes not only physical damage to hardware but also digital damage to system operation and data integrity. In modern business life, data may be more valuable than the physical device on which it is stored. Destroying or altering data can cause operational, financial and reputational harm that exceeds the cost of any computer equipment.
2. What Is an Information System?
Turkish criminal law interprets the concept of an information system broadly. An information system may be any digital structure that collects, stores, processes, transfers, displays or makes data available. It may include computers, servers, mobile phones, cloud platforms, databases, websites, online banking systems, e-commerce panels, corporate software, hospital systems, public institution portals, social media accounts, electronic archives and internal business networks.
For Article 244, the system does not have to belong to a large corporation or public authority. A personal cloud account, a private e-mail archive or a small company’s accounting software may also be protected. The essential issue is whether there is a digital system and whether the accused person interfered with its operation or data.
In practice, the following systems may be relevant:
A company’s customer relationship management platform.
A bank’s online transaction infrastructure.
An e-commerce website’s order database.
A hospital’s patient record system.
A law firm’s digital archive.
A public institution’s electronic application portal.
An employer’s accounting and payroll software.
A social media account used for business purposes.
A cloud folder containing commercial documents.
A mobile application storing personal or financial data.
The broad interpretation of information systems reflects the modern reality that data and system functionality are central to both private life and commercial activity.
3. Preventing or Disrupting the Functioning of a System
The first offence under Article 244 concerns preventing or disrupting the functioning of an information system. This form of the offence does not necessarily require deletion or alteration of data. It is sufficient that the normal operation of the system is blocked, hindered, slowed down, disabled or materially impaired.
Examples may include:
Launching a denial-of-service attack that makes a website inaccessible.
Installing malware that prevents employees from using company software.
Changing server settings to block access to a business platform.
Disabling administrator accounts.
Locking a system through ransomware.
Overloading a system with automated traffic.
Interfering with network configuration to interrupt operations.
Preventing users from accessing an online service.
The key issue is whether the system’s normal functioning has been prevented or disrupted. A temporary interruption may be enough if it is significant and intentional. However, minor inconvenience, accidental technical failure or ordinary system error should not automatically be treated as a criminal offence. The prosecution must prove a human act, unlawfulness, causation and intent.
This distinction is especially important in corporate disputes. Not every IT failure is a cybercrime. A system may stop working because of poor maintenance, outdated software, hardware failure, user error, third-party service interruption or accidental misconfiguration. Article 244 requires criminal conduct, not merely a bad technical outcome.
4. Data Deletion, Data Destruction and Data Corruption
The second paragraph of Article 244 criminalizes acts against data itself. Data deletion or destruction may occur when files, databases, records, archives, messages, logs, backups or digital documents are intentionally removed or destroyed.
In business life, data deletion can be extremely damaging. A former employee may delete customer lists before leaving the company. A malicious insider may erase accounting records. A cyberattacker may delete server files after gaining access. A competitor may destroy stored data to damage business operations. A ransomware group may delete backups to increase pressure on the victim.
The prosecution must prove that data existed, that it was deleted or destroyed, that the accused person caused the deletion or destruction, and that the act was intentional and unlawful. If the data was already missing for technical reasons or if deletion occurred through authorized system maintenance, Article 244 may not apply.
Digital forensic evidence is critical. Courts may examine logs, timestamps, user activity records, access permissions, backup history, device records, file metadata, cloud platform activity and expert reports. A bare allegation that data disappeared is usually not enough. The legal file must connect the deletion to a person, device, account or intentional act.
5. Data Alteration and Manipulation
Data alteration is another important form of Article 244. It means changing existing data within an information system. The alteration may be obvious or hidden. It may affect names, amounts, dates, access rights, financial records, customer information, inventory levels, transaction histories, medical records, academic records, legal documents or system configurations.
Examples may include:
Changing invoice amounts in accounting software.
Altering customer information in a database.
Modifying bank account details in a payment system.
Changing grades or records in an educational system.
Manipulating inventory data in an e-commerce platform.
Editing logs to hide unauthorized access.
Changing passwords or recovery e-mail addresses.
Modifying contract files stored in a digital archive.
Data alteration may be more dangerous than deletion because it can remain unnoticed. A deleted file may immediately attract attention, but altered data may mislead the company or public authority for a long time. For example, changing payment information in an invoice system may cause money to be transferred to a wrong account. Altering medical data may create health risks. Changing legal records may affect litigation or enforcement proceedings.
In Article 244 cases, data alteration must be proven with technical precision. The investigation should determine what the original data was, what changed, when it changed, which user account made the change, which device or IP address was involved and whether the accused person had authority to perform that change.
6. Making Data Inaccessible
Article 244 also punishes making data inaccessible. This is highly relevant to ransomware, encryption attacks, password changes, account lockouts and access blocking.
Data may technically still exist, but if the lawful user cannot access it, the offence may arise. For example, an attacker may encrypt company data and demand payment. A former employee may change the administrator password and prevent the employer from accessing customer files. A system user may move files to a hidden or restricted location. A cloud account may be locked by changing recovery credentials.
Making data inaccessible is especially harmful because the victim may be unable to continue operations even if the data has not been deleted. In practice, business interruption, inability to serve customers, loss of contractual performance and reputational damage may follow.
From a legal perspective, it is important to prove that the victim had lawful access before the act and lost access because of the accused person’s conduct. Evidence may include password change logs, account recovery records, encryption notes, system access reports, administrator logs, e-mail notifications and expert findings.
7. Inserting Data Into a System
Article 244 also covers placing or inserting data into an information system. This may include uploading malicious code, creating false records, inserting fake user data, adding unauthorized files, placing hidden scripts, uploading illegal content or injecting commands into a database.
This form is important because cyberattacks do not always remove or alter existing data. Sometimes the attacker adds new data to manipulate the system, create false evidence, damage reputation or prepare a further offence.
Examples may include:
Inserting malware into a company server.
Adding fake customer records.
Uploading unlawful content to a hacked website.
Creating unauthorized administrator accounts.
Injecting code into a web application.
Adding false payment instructions.
Placing hidden tracking software.
Inserting data may overlap with other offences. If malware is inserted to obtain personal data, personal data crimes may arise. If fake payment records are inserted to obtain money, fraud may be considered. If unlawful content is uploaded, internet publication and content removal rules may become relevant.
8. Transferring Existing Data Elsewhere
Article 244 criminalizes sending or transferring existing data to another place. This is a crucial provision for data theft, insider misconduct and corporate espionage.
A person may not delete or alter data but may copy or transfer it to another device, cloud account, e-mail address, external drive or third-party server. This can cause serious harm, especially where the data includes customer lists, trade secrets, personal data, financial records, source code, business plans or confidential documents.
Examples include:
Sending a customer database to a personal e-mail address.
Copying company files to a USB drive before resignation.
Transferring source code to a competitor.
Moving confidential documents to a private cloud account.
Exporting personal data from a corporate system.
Uploading internal documents to an external server.
The distinction between “viewing” data and “transferring” data is significant. Merely entering the system may fall under Article 243. Copying or sending data elsewhere may bring Article 244 into the case. If the transferred data includes personal data, Turkish Penal Code provisions on personal data and the Personal Data Protection Law may also become relevant.
9. Aggravated Form: Banks, Credit Institutions and Public Institutions
Article 244 provides an aggravated form where the offence is committed against information systems belonging to a bank, credit institution, public institution or public organization. In such cases, the penalty is increased by half.
This aggravation reflects the public and economic importance of these systems. Banking systems contain financial assets and sensitive customer data. Public institution systems may contain identity records, tax information, health records, judicial data, social security information and public service infrastructure. Interference with such systems may harm not only the direct victim but also public trust, economic stability and administrative continuity.
Examples may include:
Disrupting an online banking platform.
Manipulating public institution records.
Deleting data from a municipal system.
Transferring customer data from a credit institution.
Making public service data inaccessible.
Altering payment records in a bank-related system.
In practice, when the affected system belongs to a bank or public institution, prosecutors and courts are likely to treat the matter more seriously. Evidence collection may also involve specialized cybercrime units, institutional IT departments and expert reports.
10. Obtaining Unjust Benefit Through System or Data Interference
Article 244 also regulates situations where the offender obtains unjust benefit for himself or another person through the acts described in the previous paragraphs, provided that the conduct does not constitute another offence. In that case, imprisonment from two to six years and a judicial fine up to five thousand days may be imposed.
This provision is important in cases where system manipulation creates financial or practical gain. For example, a person may alter electronic records to reduce a debt, increase a balance, change payment information, obtain services, redirect funds or create a false entitlement.
However, cyber-related unjust benefit may also fall under other offences, especially fraud, qualified theft, misuse of bank or credit cards or breach of trust. Therefore, correct legal classification is essential. Article 244/4 applies where unjust benefit is obtained through system or data interference and the act does not separately constitute another offence. If another specific offence exists, the legal analysis must address concurrence rules and the most appropriate charge.
11. Relationship Between Article 243 and Article 244
Article 243 and Article 244 are often confused, but they regulate different levels of cyber misconduct.
Article 243 concerns unlawful access to an information system or unlawfully remaining in it. Article 244 concerns interference with the system’s operation or data. In simple terms, Article 243 is about unauthorized entry; Article 244 is about damaging, disrupting, altering, deleting, blocking, inserting or transferring.
The distinction is important because Article 244 generally carries heavier consequences. If a person only enters another person’s e-mail account without permission, Article 243 may be relevant. If the same person deletes e-mails, changes the password, transfers messages or makes the account inaccessible, Article 244 may also arise.
In defence practice, one common argument is that the prosecution has overclassified the act. If there is no proof of deletion, alteration, transfer, inaccessibility or disruption, Article 244 may not be established. In victim representation, the opposite may be necessary: the complaint should clearly explain how the act exceeded mere access and caused data or system interference.
12. Ransomware and Malware Under Turkish Law
Ransomware is one of the clearest examples of system interference and data inaccessibility. In a ransomware attack, malicious software may encrypt data, lock systems, disable backups and demand payment. Under Turkish law, such conduct may fall under Article 244 because it prevents or disrupts system operation and makes data inaccessible. Legal commentary on Turkish cybersecurity law also identifies malware that prevents or disrupts systems, damages data, alters data or renders data inaccessible as falling within Article 244, with aggravated penalties where banking or public systems are targeted.
Ransomware may also trigger other offences. If the attacker threatens to publish data unless payment is made, blackmail or threats may be considered. If personal data is obtained or disclosed, personal data offences may arise. If money is transferred through deception or coercion, fraud or related financial offences may become relevant.
For companies, ransomware is not merely a technical incident. It may require a criminal complaint, forensic investigation, data breach assessment, notification to the Personal Data Protection Authority, communication with customers, cyber insurance notice, preservation of evidence and business continuity measures.
13. Personal Data Breaches and KVKK Consequences
Many Article 244 incidents involve personal data. Customer lists, identity numbers, phone numbers, e-mail addresses, health data, employee files, bank details and user credentials may be affected by deletion, alteration, transfer or inaccessibility.
Under the Turkish Personal Data Protection Law No. 6698, data controllers must take all necessary technical and organizational measures to ensure an appropriate level of security, including preventing unlawful processing, preventing unlawful access and ensuring the protection of personal data. If processed personal data is obtained by others through unlawful means, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time.
The Personal Data Protection Board has interpreted the phrase “within the shortest time” as requiring notification to the Board without delay and no later than 72 hours after becoming aware of the breach. The Board’s decision also states that data subjects should be informed within the shortest reasonable period after affected persons are identified, and that controllers should document breaches and maintain a breach response plan.
Therefore, a cyber incident involving data deletion or transfer may create parallel legal tracks:
Criminal liability of the attacker under Turkish Penal Code Article 244.
Possible personal data offences under the Turkish Penal Code.
Administrative and compliance obligations of the data controller under KVKK.
Civil compensation claims by affected individuals.
Contractual liability toward customers, partners or service providers.
This multi-layered structure makes early legal assessment essential.
14. Corporate Cybercrime and Insider Misconduct
Many system interference cases arise inside companies. The perpetrator may be a former employee, current employee, contractor, software developer, IT administrator, business partner or competitor.
Common examples include:
A former employee deletes company files before leaving.
An IT manager changes administrator passwords and blocks access.
A salesperson exports customer lists to a personal account.
A software developer disables code after a payment dispute.
A contractor transfers confidential data outside the agreed scope.
A business partner manipulates records in shared software.
These cases are legally complex because the person may once have had legitimate access. The critical question is whether the person exceeded authorization and whether the conduct involved deletion, alteration, transfer, insertion, inaccessibility or system disruption.
Companies should implement strong offboarding procedures. Access rights should be revoked immediately after termination. Administrator privileges should be limited and monitored. Logs should be retained securely. Contracts should clearly define access authority, confidentiality duties and post-termination obligations.
15. Digital Evidence in Article 244 Cases
Digital evidence is the backbone of Article 244 investigations. The most important evidence may include:
Server logs.
Firewall records.
User activity reports.
Cloud access logs.
Database audit trails.
File metadata.
Backup records.
E-mail headers.
IP address records.
Device images.
Mobile phone extractions.
Security camera records.
Bank transaction records.
Ransomware notes.
Malware analysis reports.
Expert reports.
In data deletion cases, investigators should determine when the data was last intact, when it disappeared, which account performed the deletion, whether backups were affected and whether the accused controlled the relevant account or device.
In data alteration cases, the investigation should compare original and changed data, identify timestamps, examine user permissions and determine whether the alteration was authorized.
In system interference cases, experts should determine the technical cause of disruption, whether the incident was intentional, whether the accused’s act caused the disruption and whether alternative explanations exist.
Screenshots alone are rarely sufficient. They should be supported by logs, metadata, official records, expert analysis or provider responses. Digital evidence must also be obtained lawfully and preserved carefully. If evidence is altered during internal investigation, its reliability may be challenged.
16. Victim Rights and Legal Remedies
Victims of data deletion, alteration or system interference crimes may file a criminal complaint before the public prosecutor’s office. The complaint should not be vague. It should explain the affected system, the type of interference, dates and times, suspected persons, technical indicators, damage suffered and evidence available.
A strong criminal complaint should request:
Identification of suspects.
Preservation and collection of logs.
Digital forensic examination.
Search and seizure of relevant devices where conditions exist.
Requests to service providers, hosting companies, platforms or banks.
Expert analysis of data deletion, alteration or system disruption.
Determination of financial damage.
Investigation of personal data offences if applicable.
In urgent cases, victims may also need civil injunctions, content removal, access blocking, bank transaction objections, internal disciplinary measures or claims for compensation.
For companies, immediate incident response is vital. The company should isolate affected systems, preserve evidence, avoid unnecessary changes, secure backups, notify legal counsel, assess KVKK obligations and document all steps taken.
17. Defence Strategies in Article 244 Cases
Defence in Article 244 cases requires detailed technical and legal analysis. Since penalties may be serious, the defence should challenge each statutory element.
Possible defence arguments include:
The accused did not perform the act.
The relevant system or data was not affected by the accused.
The data was not deleted, altered, made inaccessible or transferred.
The system disruption resulted from technical failure, not intentional conduct.
The accused had authorization to perform the relevant action.
The action was part of ordinary maintenance, backup, migration or security work.
The logs are incomplete or unreliable.
The IP address does not identify the accused personally.
The device was used by others or compromised.
There is no criminal intent.
The correct classification is Article 243, not Article 244.
The alleged damage is exaggerated or unrelated.
In corporate disputes, the defence should examine employment contracts, access policies, internal authorization records, technical documentation, termination notices and whether the company had proper log management. If the company’s system was poorly managed, attribution may be difficult.
Independent expert opinions can be highly valuable. A technical expert may identify whether data was actually deleted, whether the deletion was reversible, whether timestamps are consistent, whether another user could have performed the act and whether logs support the prosecution theory.
18. Civil Liability and Compensation
Article 244 offences may also create civil liability. Victims may claim compensation for material and moral damages.
Material damages may include:
System restoration costs.
Data recovery expenses.
Business interruption losses.
Lost profit.
Forensic investigation costs.
Customer notification expenses.
Contractual penalties.
Costs of rebuilding databases.
Financial losses caused by altered records.
Moral damages may arise if the incident violates personal rights, privacy, reputation or professional dignity. For example, unauthorized alteration or publication of private data may cause emotional harm and reputational damage.
In corporate cases, damages may be substantial. A cyber incident may interrupt operations, damage client trust, trigger regulatory scrutiny and create contractual disputes. The criminal case may support the civil claim, but damages still need to be proven with evidence.
19. Compliance Recommendations for Companies
Companies in Turkey should treat system and data interference as a legal risk, not only an IT risk. Preventive measures can reduce both victimization and liability.
Recommended measures include:
Role-based access control.
Multi-factor authentication.
Secure password policies.
Regular backup and backup testing.
Immutable or offline backups for critical data.
Centralized log management.
Employee cybersecurity training.
Immediate revocation of former employee access.
Written IT and data security policies.
Incident response plan.
Data breach response plan.
Vendor security clauses.
Penetration testing with written authorization.
Internal investigation protocols.
Personal data inventory and KVKK compliance.
A company that cannot identify who accessed its system, what data was changed or whether personal data was affected will face difficulty both in criminal proceedings and regulatory defence.
20. Why Legal Assistance Is Important
Article 244 cases are technically complex and legally sensitive. A victim may know that data disappeared but may not know how to prove deletion, intent and causation. A company may accidentally destroy evidence during internal investigation. A suspect may face a heavier charge although the evidence only proves access, not data interference. A data breach may trigger KVKK notification duties that cannot be ignored.
A Turkish cybercrime lawyer can assist with criminal complaints, defence petitions, expert coordination, evidence preservation, internal investigations, KVKK breach assessment, corporate compliance and compensation claims. The best strategy usually combines criminal law, digital forensics, data protection law, employment law and commercial law.
Conclusion
Data deletion, data alteration and system interference crimes under Turkish law are mainly regulated by Turkish Penal Code Article 244. The provision punishes preventing or disrupting the functioning of an information system, deleting, destroying, altering or making data inaccessible, inserting data into a system and transferring existing data elsewhere.
These offences may arise in many contexts, including ransomware, malware, insider misconduct, former employee access, database manipulation, corporate espionage, public system attacks, banking system interference and personal data breaches. Penalties may become heavier where banks, credit institutions or public institutions are targeted, or where unjust benefit is obtained.
For victims, the most important step is immediate evidence preservation and a technically detailed criminal complaint. For suspects, the defence must carefully challenge authorization, intent, causation, digital attribution and legal classification. For companies, the key lesson is that cybersecurity is also legal risk management.
In modern Turkish cybercrime practice, data is often the most valuable asset. Destroying, altering, blocking or transferring data can cause severe financial and legal consequences. Therefore, Article 244 should be understood not only as a criminal provision but also as a central rule protecting trust, continuity and integrity in the digital environment.
Yanıt yok