Introduction
Unauthorized access to corporate email accounts under Turkish law is a serious cybercrime and corporate compliance issue. Corporate email systems are not merely communication tools. They often contain contracts, invoices, customer data, employee records, trade secrets, payment instructions, legal correspondence, personal data, board communications and commercially sensitive information. When a corporate email account is accessed without authorization, the incident may trigger criminal liability, personal data breach obligations, internal investigation duties, civil compensation claims and reputational damage.
In Turkey, the main criminal provision is Article 243 of the Turkish Penal Code, which punishes unlawful access to an information system or unlawfully remaining in such a system. If the offender goes further and deletes emails, changes mailbox rules, transfers data, blocks access or disrupts the company’s email system, Article 244 of the Turkish Penal Code may also apply. The Council of Europe’s cybercrime profile for Turkey identifies Article 243 as illegal access to a computer network system and Article 244 as preventing system functioning and deletion, alteration or corruption of data.
Corporate email incidents may also involve qualified fraud, personal data offences, trade secret violations, breach of confidentiality, employee misconduct and data breach notification obligations under the Turkish Personal Data Protection Law No. 6698, known as the KVKK. If the incident is connected to a business email compromise or fake invoice fraud, Turkish Penal Code Article 158 on qualified fraud may also become relevant.
This article explains unauthorized access to corporate email accounts under Turkish law from a practical legal perspective. It covers criminal liability, employee and former employee access, digital evidence, KVKK data breach duties, criminal complaint strategy, corporate investigations, civil liability and defence strategies.
1. Why Corporate Email Accounts Are Legally Sensitive
Corporate email accounts are legally sensitive because they combine business data, personal data and evidence. A single mailbox may include client correspondence, supplier negotiations, bank details, employee complaints, HR files, identity documents, contracts, invoices, legal notices, intellectual property materials and confidential internal discussions.
Unauthorized access to such an account may cause several types of harm. The offender may read confidential correspondence, copy attachments, create hidden forwarding rules, delete messages, monitor payment negotiations, send fraudulent invoices, impersonate executives, collect customer data or obtain documents to use in competition or litigation.
In many cases, the company may not notice the breach immediately. The offender may silently monitor correspondence for weeks before acting. This is common in business email compromise cases, where attackers wait for the right moment to change payment details or send false instructions.
For this reason, corporate email access is not only an IT security matter. It is a criminal law, data protection, employment law and corporate governance matter.
2. Article 243: Unlawful Access to an Information System
Article 243 of the Turkish Penal Code is the core provision for unauthorized corporate email access. It criminalizes unlawfully entering all or part of an information system or unlawfully remaining there. Legal sources summarizing the provision state that the basic form is punishable by imprisonment of up to one year or a judicial fine. If data in the system is destroyed or altered as a result of the act, imprisonment from six months to two years may apply; unlawful technical monitoring of data transfers may also be punished separately.
A corporate email account may qualify as part of an information system. The system may be Microsoft 365, Google Workspace, an internal Exchange server, a cloud email platform, CRM-linked mailbox, shared mailbox, executive email account or departmental account. The law does not require the account to be highly technical or government-related. Unauthorized entry into a corporate mailbox may be sufficient.
Article 243 may apply in several scenarios:
A former employee logs into a company email account after termination.
A current employee accesses another employee’s mailbox without authorization.
A competitor obtains login credentials and reads commercial correspondence.
A hacker enters a corporate mailbox through phishing credentials.
A service provider continues accessing company email after the service contract ends.
A spouse, friend or business partner uses a saved password to enter a company account.
The key legal question is whether the access was lawful at the time and within the scope of authorization.
3. Article 244: Deleting, Altering, Blocking or Transferring Email Data
Unauthorized email access may become more serious if the offender interferes with data. Article 244 of the Turkish Penal Code punishes preventing or disrupting the functioning of an information system and deleting, altering, making inaccessible, inserting or transferring data. UNODC’s Turkish Penal Code materials identify Article 244 as covering interference with data and system operation.
In corporate email cases, Article 244 may become relevant where the offender:
Deletes emails or attachments.
Changes mailbox passwords or recovery details.
Creates hidden forwarding rules.
Transfers emails to an external account.
Blocks the company’s access to the mailbox.
Alters invoice attachments.
Changes bank account details in correspondence.
Deletes warning emails or security notifications.
Modifies mailbox settings to hide activity.
Exports email archives to a personal device.
The distinction between Article 243 and Article 244 is important. Article 243 focuses on unauthorized entry or remaining. Article 244 focuses on interference with the system or data. If an offender merely reads emails without permission, Article 243 may be the main offence. If the offender copies emails, deletes messages, changes settings or forwards correspondence, Article 244 may also be considered.
4. Employee Access: When Does It Become Unlawful?
Corporate email disputes often involve employees or former employees. A current employee may normally have access to their own work email account. Some employees may also access shared mailboxes, departmental accounts, customer support inboxes or executive assistant accounts. However, employment does not create unlimited authority to access every company mailbox.
Access may become unlawful when an employee exceeds the scope of authorization. For example, an accounting employee may be authorized to access invoice correspondence but not HR complaints. A sales employee may access customer emails but not board-level strategy discussions. An IT employee may perform technical maintenance but not read private or legally privileged correspondence without a valid business reason.
The same analysis applies to shared accounts. If several employees use a shared email account, the company must examine whether the accused person had permission to use that account at the relevant time. If the company uses shared passwords without clear access logs, proving personal responsibility may become difficult.
Therefore, companies should define email access rights through IT policies, job descriptions, role-based permissions and internal procedures.
5. Former Employees and Post-Termination Access
Former employee access is one of the most common corporate email cybercrime scenarios. An employee may retain a password, know a shared login, keep a saved session on a personal device, or continue receiving emails through forwarding rules after leaving the company.
After termination, resignation or expiry of a service relationship, continued access is usually legally risky unless expressly authorized. Even if the employee previously had lawful access, that permission may end with the employment relationship. Continuing to enter the mailbox after authorization ends may constitute unlawful access under Article 243.
If the former employee downloads customer correspondence, deletes emails, forwards invoices, copies trade secrets or sends misleading messages, Article 244 and other offences may also arise.
Companies should have strict offboarding procedures:
Disable email accounts immediately.
Change shared passwords.
Remove mobile device access.
Revoke cloud session tokens.
Check forwarding rules.
Review delegated mailbox permissions.
Recover company devices.
Preserve relevant logs.
Notify IT and legal departments.
Offboarding failures can create both security risk and evidentiary difficulty.
6. Business Email Compromise and Fake Invoice Fraud
Unauthorized corporate email access often leads to Business Email Compromise. In these cases, criminals access or imitate a corporate mailbox and use it to redirect payments. They may monitor real supplier correspondence, alter invoices, change IBAN details or impersonate executives.
This may constitute qualified fraud if the offender uses information systems and banking channels to obtain unlawful benefit. It may also involve Article 243 if a mailbox was unlawfully accessed, and Article 244 if emails or data were altered, deleted, forwarded or transferred.
A company that discovers fake invoice fraud should act immediately. The bank should be notified, a criminal complaint should be prepared, fraudulent emails should be preserved with full headers, mailbox login logs should be secured, and the real supplier should be contacted through a trusted channel.
A BEC incident should never be treated only as an accounting mistake. It may be a cybercrime, data breach, fraud case and commercial liability dispute at the same time.
7. Personal Data Breach Under KVKK
Corporate email accounts frequently contain personal data. Names, phone numbers, addresses, Turkish identity numbers, passport copies, salary information, employment records, customer details, bank account information, medical information and private correspondence may all be found in business mailboxes.
If unauthorized persons access corporate email accounts and obtain personal data, the company may need to assess whether a personal data breach occurred under the KVKK. The Turkish Personal Data Protection Board’s Decision No. 2019/10 requires data controllers to notify the Board without delay and, where notification cannot be made within 72 hours, to attach the reasons for delay. The Turkish Personal Data Protection Authority also explains that delay reasons should be attached where notification cannot be achieved within 72 hours.
For corporate email access incidents, the company should ask:
Which mailboxes were accessed?
What personal data was inside those mailboxes?
Was data only viewed, or was it copied or forwarded?
Were special categories of personal data involved?
How many individuals may be affected?
When did the company become aware of the incident?
Has the incident been contained?
Should the Board and affected individuals be notified?
The company should document the assessment even if it decides that notification is not required. Documentation may be important in a later regulatory review.
8. Cybersecurity Law No. 7545 and Corporate Governance
Turkey’s Cybersecurity Law No. 7545 entered into force after publication in the Official Gazette on 19 March 2025. The law applies broadly to public institutions, private legal entities, professional associations and individuals operating in cyberspace, and it aims to protect public and private actors against cyber threats.
Corporate email access incidents may fall within broader cybersecurity governance concerns, especially where the company provides digital services, processes large volumes of data or operates critical systems. The law supports the view that cybersecurity is not only a technical matter but also a legal and administrative responsibility.
Companies should therefore build internal governance for email security. This includes multi-factor authentication, access control, log retention, incident response procedures, employee training, vendor security clauses and escalation rules for suspected cyber incidents.
9. Digital Evidence in Corporate Email Access Cases
Digital evidence is decisive in unauthorized corporate email access cases. The strongest criminal complaint or defence usually depends on logs, metadata and forensic records rather than general allegations.
Important evidence includes:
Login records.
IP addresses.
Device identifiers.
Mailbox audit logs.
Cloud admin logs.
Password reset records.
Multi-factor authentication logs.
Forwarding rules.
Deleted email recovery records.
Email headers.
Suspicious inbox rules.
Delegated access records.
Mobile device synchronization logs.
Attachment download records.
VPN records.
Employee device logs.
Server logs.
Security alerts.
Screenshots may be useful, but original technical records are stronger. In email cases, full email headers are particularly important because they may show routing information, sender details, authentication results and technical indicators of spoofing or compromise.
Companies should preserve evidence before changing settings. If the IT team deletes forwarding rules, purges logs or resets systems without recording the original state, the criminal file may be weakened.
10. CMK Article 134 and Search of Digital Devices
Where a suspect’s computer, phone or digital records must be examined, Article 134 of the Turkish Criminal Procedure Code becomes important. Article 134 regulates search, copying and seizure of computers, computer programs and computer records. UNODC materials state that during seizure of computers or computer records, all data in the system shall be copied, and where the suspect or counsel requests a copy, a copy must be provided and recorded.
This provision matters for both complainants and defendants. A company may request lawful forensic examination of devices used in the offence. A defendant may challenge evidence if digital searches exceeded legal limits, lacked proper authorization or failed to preserve forensic integrity.
A cybercrime file may be weakened if evidence is collected informally by the company without proper documentation and later presented as if it were forensic proof. The safer approach is to preserve internal records and request lawful investigation measures through the prosecutor where necessary.
11. Criminal Complaint Strategy for Companies
A corporate criminal complaint should be detailed, chronological and technical. It should not merely say “our email was hacked.” It should explain how the company discovered the incident, which mailbox was affected, who had authority to access it, what suspicious activity occurred and what evidence exists.
A strong complaint should include:
Company information and authorized signatory details.
Affected email account or system.
Timeline of suspicious activity.
Evidence of unauthorized login.
IP, device or location indicators if available.
Forwarding rules or mailbox changes.
Deleted or transferred emails.
Affected personal data or trade secrets.
Connection to fraud, if any.
Bank transfer records, if any.
Former employee or suspect information, if known.
Internal IT findings.
Request for platform, provider and telecom records.
Request for device examination where legally appropriate.
Legal qualification under Articles 243 and 244, and other relevant provisions.
If the incident involves fake invoice fraud, the complaint should also include the invoice chain, original email, fake email, full headers, recipient IBAN, bank transfer receipt and correspondence with the real supplier.
12. Internal Investigation Rules
Companies often investigate before filing a complaint. Internal investigations are useful, but they must be lawful, proportionate and well documented.
A lawful internal investigation should:
Define the investigation scope.
Preserve original evidence.
Limit access to relevant mailboxes.
Avoid unnecessary review of private content.
Record who accessed evidence.
Export logs in a verifiable manner.
Coordinate with legal counsel.
Protect attorney-client privileged material.
Respect employee privacy.
Assess KVKK implications.
Avoid making defamatory accusations before proof.
A company-owned email account may be subject to business review, but this does not mean unlimited access to all private or irrelevant communications. Policies, prior employee notice and proportionality matter.
13. Employee Privacy and Workplace Email Monitoring
Corporate email monitoring creates a balance between employer rights and employee privacy. Employers have legitimate interests in protecting company systems, preventing fraud, preserving business records and investigating misconduct. Employees, however, may still have privacy expectations, especially if workplace policies are unclear or personal use is tolerated.
A safer corporate structure includes:
Written email and IT use policies.
Employee notification about monitoring.
Clear prohibition of unauthorized access.
Rules on personal use of business email.
Access authorization limits.
Data retention policies.
Incident investigation procedures.
Confidentiality obligations.
Without clear policies, internal evidence may be challenged more easily. A company should not wait until a breach occurs to define email-use rules.
14. Trade Secrets and Confidential Business Information
Unauthorized access to corporate email accounts may expose trade secrets and confidential business data. Emails may contain pricing strategies, customer lists, supplier contracts, legal opinions, tender documents, product designs, source code, board decisions and acquisition discussions.
If the offender copies or discloses this information, the company may have claims beyond cybercrime. Depending on the facts, unfair competition, breach of confidentiality, trade secret violations, civil compensation and interim injunctions may also be considered.
The criminal complaint should classify the affected data carefully. It should explain why the information is confidential, commercially valuable and not publicly available. If the information was sent to a competitor, evidence of the connection should be included.
15. Vendor and IT Service Provider Access
Corporate email systems are often managed by external IT providers, cloud consultants, cybersecurity firms, software vendors or managed service providers. These parties may have administrator access to email systems.
Unauthorized access by a vendor or vendor employee may create contractual, criminal and data protection issues. The service provider may have authority to maintain technical infrastructure but not to read or export business correspondence. The scope of authorization should be defined in the service contract.
Vendor contracts should include:
Access limitations.
Confidentiality duties.
Data protection clauses.
Incident notification duties.
Log retention obligations.
Subcontractor restrictions.
Return and deletion obligations.
Audit rights.
Cooperation with investigations.
Liability provisions.
If vendor access caused or enabled the incident, the company should review both criminal remedies and contractual claims.
16. Defence Strategies in Unauthorized Email Access Cases
A person accused of unauthorized corporate email access may raise several defence arguments depending on the facts.
Possible defence points include:
The accused had authorization.
Access was within employment duties.
The account was shared by multiple employees.
The password was voluntarily provided.
The company failed to revoke access after termination.
There is no proof that the accused personally logged in.
The IP address does not identify the accused.
The device was shared or compromised.
The mailbox was accessed by malware or remote control.
The screenshots are incomplete.
The logs are unreliable or incomplete.
There is no proof of criminal intent.
No data was deleted, altered or transferred.
The case is an employment or commercial dispute, not a crime.
Defence should be technical and specific. A general denial is rarely enough. The lawyer should examine logs, access policies, employment documents, device records and expert reports.
17. IP Address and Device Attribution Problems
Many corporate email cases rely on IP logs. However, an IP address does not always identify the user. A home network may be shared. A company network may have many users. A mobile IP may be dynamic. VPN or proxy services may be used. Malware may cause remote access.
Therefore, attribution should be supported by additional evidence:
Device fingerprint.
Browser information.
MFA records.
Phone number used for verification.
Location consistency.
Account behaviour.
Download activity.
Communication with the suspect.
Employee schedule.
CCTV or physical presence.
Benefit obtained.
If the prosecution relies only on IP data, the defence may challenge whether personal use is proven beyond reasonable doubt.
18. Civil Liability and Compensation
Unauthorized corporate email access may cause material and moral damages. Companies may claim compensation from hackers, former employees, vendors, competitors or other responsible persons.
Material damages may include:
Fraudulent payments.
Lost business opportunities.
Incident response costs.
Forensic investigation expenses.
Legal expenses.
Customer notification costs.
Data recovery expenses.
Business interruption losses.
Loss of trade secret value.
Reputational repair costs.
Civil claims require proof of unlawful act, damage and causation. A criminal investigation may support the civil case, but damages must still be documented.
In some cases, companies may also request interim measures to prevent further use or disclosure of stolen emails or confidential information.
19. Prevention: Corporate Email Security Checklist
Companies can reduce unauthorized email access risk through practical measures:
Use multi-factor authentication.
Disable legacy authentication.
Enforce strong passwords.
Monitor suspicious logins.
Restrict mailbox delegation.
Block automatic external forwarding.
Review mailbox rules periodically.
Use secure email gateways.
Train employees against phishing.
Limit administrator access.
Log admin actions.
Revoke former employee access immediately.
Secure mobile device access.
Use conditional access policies.
Monitor lookalike domains.
Verify IBAN changes by phone.
Preserve logs for sufficient periods.
Prepare incident response procedures.
Security controls also have legal value. If a company later faces regulatory, civil or contractual claims, evidence of reasonable precautions may strengthen its position.
20. Practical Checklist After Unauthorized Email Access
When a company discovers unauthorized corporate email access, it should:
Preserve mailbox logs before changing settings.
Identify affected accounts.
Secure compromised accounts.
Disable suspicious forwarding rules after documenting them.
Reset passwords and revoke sessions.
Preserve email headers and suspicious messages.
Check whether payments were redirected.
Notify banks if fraud occurred.
Assess whether personal data was accessed.
Review KVKK notification duties.
Identify whether trade secrets were affected.
Prepare a criminal complaint.
Request preservation of provider logs.
Notify cyber insurance if applicable.
Inform relevant business partners where necessary.
Document all response steps.
A rushed response may destroy evidence. A delayed response may increase damage. The company needs both speed and discipline.
21. Why Legal Assistance Is Important
Unauthorized access to corporate email accounts requires coordinated legal and technical action. A Turkish cybercrime lawyer can assist with:
Criminal complaint preparation.
Evidence preservation.
KVKK breach assessment.
Internal investigation planning.
Employee misconduct review.
Vendor liability analysis.
Civil compensation claims.
Expert report objections.
Defence against criminal allegations.
Business email compromise response.
Law No. 5651 issues if stolen content is published online.
The strongest strategy combines criminal law, digital forensics, data protection, employment law and corporate governance.
Conclusion
Unauthorized access to corporate email accounts under Turkish law is a serious cybercrime and corporate risk. Turkish Penal Code Article 243 may apply where a person unlawfully enters or remains in a corporate email system. Article 244 may apply where the offender deletes emails, changes settings, transfers data, creates forwarding rules, blocks access or otherwise interferes with system data. If the incident leads to fake invoice fraud, qualified fraud may also be relevant. If personal data is exposed, KVKK breach notification duties must be assessed.
For companies, corporate email security is not merely an IT function. It is part of legal compliance, risk management and corporate governance. Employers should define access rights, monitor logs lawfully, revoke former employee access, train employees, secure mailboxes and prepare incident response procedures. When an incident occurs, evidence must be preserved before technical remediation destroys the record.
For suspects and defendants, the key issues are authorization, intent, attribution, log reliability, device control and correct legal classification. An IP address, username or screenshot may be relevant, but it does not automatically prove guilt.
In Turkey’s digital business environment, corporate email accounts are among the most valuable and vulnerable company assets. Protecting them requires technical security, clear legal policies and rapid legal action when unauthorized access occurs.
Yanıt yok