Introduction
Cybercrime against companies in Turkey has become one of the most serious legal and commercial risks of the digital economy. Companies no longer rely only on physical assets, real estate, machinery or inventory. Their most valuable assets are often digital: trade secrets, source code, customer databases, pricing models, supplier lists, algorithms, project files, technical drawings, financial records, business plans, CRM data, employee files and confidential e-mail correspondence.
When these assets are stolen, copied, deleted, transferred or used by competitors, the consequences may be severe. A company may lose customers, suffer reputational harm, face personal data breach obligations, lose competitive advantage, become involved in employment disputes, file criminal complaints, pursue civil compensation and seek urgent injunctions. The incident may also expose the company to regulatory scrutiny if customer or employee personal data is affected.
Under Turkish law, cybercrime against companies may involve several legal regimes at the same time. Turkish Penal Code Articles 243 and 244 regulate unauthorized access to information systems and interference with systems or data. The Council of Europe identifies Article 243 as illegal access to a computer network system and Article 244 as preventing system functioning and deletion, alteration or corruption of data. If customer or employee data is involved, the Personal Data Protection Law No. 6698, known as the KVKK, may also apply. If trade secrets or confidential business information are misused, unfair competition and civil remedies may become important. Trade secrets in Turkey are generally protected through unfair competition provisions of the Turkish Commercial Code and other scattered legal mechanisms.
This article explains cybercrime against companies in Turkey with a focus on trade secrets, source code and customer data theft. It covers criminal liability, civil remedies, data protection obligations, digital evidence, internal investigations, former employee misconduct, competitor liability and defence strategies.
1. Why Corporate Data Is a Strategic Legal Asset
Corporate data is often the foundation of commercial value. A customer database may represent years of sales effort. Source code may be the core product of a software company. Technical drawings may embody engineering know-how. Pricing models may reveal market strategy. Supplier terms may determine profit margins. Internal reports may show weaknesses, opportunities and confidential plans.
For this reason, unlawful access to corporate systems is not merely an IT issue. It may be a criminal offence, a breach of employment obligations, an unfair competition act, a personal data breach and a civil wrong. The company must respond quickly, but also carefully. If evidence is not preserved, the company may fail to prove who accessed the system, what data was taken and how damage occurred.
Corporate cybercrime may be committed by external hackers, former employees, current employees, contractors, IT service providers, competitors, business partners or organized fraud groups. The legal strategy depends heavily on who committed the act, how the data was obtained and what was done with it.
2. Main Criminal Provisions: Turkish Penal Code Articles 243 and 244
The two most important criminal provisions for corporate cybercrime are Articles 243 and 244 of the Turkish Penal Code. Article 243 concerns unlawful access to an information system. Legal commentary summarizing Article 243 states that a person who unlawfully enters or remains in all or part of an information system may be punished with imprisonment of up to one year or a judicial fine, and if data in the system is destroyed or altered as a result of the act, imprisonment from six months to two years may apply.
Article 244 is more directly relevant where the offender deletes, alters, transfers, corrupts or makes data inaccessible. The same source summarizes Article 244 as punishing obstruction or disruption of an information system with imprisonment from one to five years, and punishing corruption, destruction, alteration, rendering inaccessible, introduction or transfer of data with imprisonment from six months to three years.
In corporate cases, Article 243 may apply when a former employee logs into a company system after termination, a competitor enters a database without permission, or a contractor continues accessing servers after the service agreement ends. Article 244 may apply when source code is copied, customer data is exported, files are deleted, passwords are changed, data is sent to a third party, or business records are made inaccessible.
The distinction matters. Unauthorized entry into the system may be enough for Article 243. But where the offender transfers company data, deletes records or disrupts operations, Article 244 may provide a stronger legal basis.
3. Trade Secret Theft in Turkey
Trade secret theft is a major risk in corporate cybercrime cases. A trade secret may include technical, commercial, financial or strategic information that is not publicly known and gives the company a competitive advantage. Examples include manufacturing methods, source code, algorithms, formulas, customer lists, pricing strategies, project documents, tender calculations, market research, supplier contracts and strategic business plans.
Turkey does not have one single comprehensive trade secret code in the same way some jurisdictions do. Current Turkish legal commentary notes that trade secret protection is scattered across different laws and that protection mainly arises through unfair competition provisions of the Turkish Commercial Code, confidentiality and loyalty obligations under contract and employment law, criminal law provisions and sector-specific rules.
Unfair competition law is especially important. Trade secret protection in Turkey is generally linked to the idea that disclosure or misuse of confidential business information contrary to honest commercial practices may constitute unfair competition.
In a corporate cybercrime case, the company should identify exactly why the stolen information is confidential. It should explain whether the information was non-public, commercially valuable, internally restricted, protected by access controls, covered by confidentiality agreements and used in competition. A vague statement that “company documents were stolen” may be insufficient. The legal file should show what was taken and why it qualifies as confidential business information.
4. Source Code Theft
Source code theft is one of the most serious forms of corporate cybercrime, especially for software companies, fintech businesses, SaaS providers, e-commerce platforms, mobile application developers, gaming companies and technology startups. Source code may contain core product logic, security architecture, algorithms, API integrations, database structures, authentication systems and proprietary business methods.
Source code theft may occur in many ways. A developer may download repositories before resignation. A contractor may keep copies after the project ends. A competitor may obtain credentials and clone repositories. A hacker may access Git systems, cloud storage or deployment servers. A former employee may transfer source code to a new employer or use it in a competing project.
Legally, source code theft may involve Article 243 if the offender accessed repositories without authorization. It may involve Article 244 if source code was copied, transferred, altered, deleted or made inaccessible. It may also create civil liability for breach of confidentiality, unfair competition and copyright-related claims depending on the facts.
A company alleging source code theft should preserve repository logs, commit history, download logs, access permissions, IP records, device records, employment documents, confidentiality agreements and evidence of similarity between the stolen code and any competing product. If the suspect claims they wrote the code personally, the company must show ownership, employment scope, project assignment and internal development history.
5. Customer Data Theft
Customer data theft is both a commercial and data protection risk. Customer lists may include names, phone numbers, e-mail addresses, addresses, purchasing history, contract terms, payment information, preferences, complaints, personal identification data and commercially sensitive sales records.
If the stolen customer information relates to identified or identifiable natural persons, KVKK obligations may arise. The Personal Data Protection Board’s Decision No. 2019/10 states that if processed personal data is obtained by others through unlawful means, the data controller must notify the Board without delay and no later than 72 hours after becoming aware of the breach.
Therefore, a company cannot treat customer data theft only as a competition problem. It must also assess whether a reportable personal data breach has occurred. The company should determine what data categories were taken, how many individuals were affected, whether special categories of personal data were involved, whether the data was transferred to a third party, and what measures were taken to contain the incident.
If the customer list is also commercially confidential, the same incident may support both KVKK breach analysis and unfair competition claims.
6. Former Employees as a Common Risk Source
Many corporate cybercrime cases involve former employees. The employee may have had lawful access during employment but may continue using access rights after termination or may copy data before leaving. Former sales employees may take customer lists. Developers may take source code. Managers may take pricing files. IT administrators may retain server credentials. HR employees may copy employee files.
The central legal question is authorization. Did the employee have authority to access the system at the relevant time? Did the employee have authority to export the data? Was the data copied for work purposes, or for personal use or competition? Did the employment relationship already end? Were access rights revoked?
If the former employee continues accessing systems after employment ends, Article 243 may apply. If the employee copies, deletes, transfers or makes data inaccessible, Article 244 may also be relevant. If customer or employee personal data is copied or shared, personal data crimes and KVKK obligations may arise.
Companies should have strict offboarding controls. E-mail access, VPN credentials, repository access, CRM permissions, cloud accounts, shared passwords and social media administrator rights should be revoked immediately. Failure to revoke access may not excuse intentional misuse, but it can make proof and prevention harder.
7. Current Employees and Internal Misuse
Current employees may also commit cybercrime if they exceed authorized access. Employment does not give unlimited permission to access all systems or export all data. A salesperson may be authorized to view certain customer records but not to export the entire CRM database to a personal e-mail. A developer may be authorized to work on a code repository but not to copy the full source code for a competing business. An HR employee may access personnel files for work, but not share them with third parties.
Internal misuse is often difficult to prove because the initial access may appear legitimate. The company must show that the employee exceeded authorization, acted outside job duties, copied or transferred data unlawfully, and caused risk or damage.
Relevant evidence may include access logs, download records, e-mail forwarding records, USB connection logs, cloud transfer records, unusual login times, resignation timing, communications with competitors and customer solicitation after departure.
8. Competitor Liability
A competitor may become legally exposed if it knowingly receives or uses stolen data. Hiring a former employee is not unlawful by itself. However, instructing an employee to bring customer lists, source code, pricing files or trade secrets may create serious civil and potentially criminal consequences.
Evidence of competitor involvement may include communications between the employee and new employer, sudden contact with the former employer’s customers, use of identical pricing models, cloned software features, copied technical documents, similar source code structure, internal messages or witness statements.
If competitor involvement is suspected, the company may consider civil injunctions, unfair competition claims, evidence preservation and criminal complaint against all participating persons. Allegations against competitors should be evidence-based. A mere suspicion that the competitor benefited is usually not enough.
9. KVKK Compliance After Corporate Data Theft
Where stolen company data includes personal data, the company must conduct a KVKK breach assessment. The official KVKK Board decision requires notification to the Board without delay and no later than 72 hours after awareness where processed data is obtained by others unlawfully.
The company should prepare an internal breach file containing:
The date and time of discovery.
The suspected date of the incident.
Affected systems.
Data categories involved.
Number of affected persons.
Whether special category data is affected.
Whether data was copied, transferred or only accessed.
Containment measures.
Whether the Board was notified.
Whether data subjects were notified.
Whether a criminal complaint was filed.
Reasons if notification was not made.
Documentation is essential. Even if the company decides that notification is not required, it should record the basis for that decision. If the Authority later asks questions, documented reasoning will be important.
10. Cybersecurity Law No. 7545 and Corporate Obligations
Turkey’s Cybersecurity Law No. 7545 entered into force after publication in the Official Gazette on 19 March 2025. Legal updates describe its purpose as protecting public institutions, individuals and private sector entities from cyber threats and establishing comprehensive policies and strategies to enhance national cybersecurity; its scope broadly applies to public institutions, private legal entities, professional associations and individuals operating in cyberspace.
Corporate cybercrime incidents may therefore require broader cybersecurity governance review. Depending on the company’s sector, size, data processing activities and criticality, the company may need to assess incident reporting, cooperation with authorities, security standards, audit readiness and internal cyber resilience procedures.
Even where secondary regulations or sector-specific details are still developing, companies should treat cyber incidents as governance events. A source code theft, customer database leak or system compromise should not be handled only by the IT department. Legal, compliance, management, HR and cybersecurity teams should work together.
11. Digital Evidence in Corporate Cybercrime Cases
Digital evidence is the foundation of any successful corporate cybercrime case. Without strong evidence, the company may suspect data theft but fail to prove it. Important evidence may include:
Access logs.
Repository logs.
CRM export records.
Cloud download records.
VPN logs.
E-mail forwarding records.
USB connection records.
Endpoint security alerts.
File metadata.
IP addresses.
Device identifiers.
Admin activity records.
Deleted file recovery reports.
Source code commit history.
Customer contact records.
Messages with competitors.
Employment documents.
Confidentiality agreements.
Evidence must be preserved carefully. If the company deletes user accounts, formats laptops, overwrites logs or changes systems without preservation, it may lose the ability to prove the incident. In serious cases, forensic imaging and hash verification should be used. Internal IT findings should be documented with dates, persons involved and methods used.
12. Criminal Complaint Strategy
A criminal complaint should be detailed, factual and supported by digital evidence. A vague complaint saying “our data was stolen” is weak. The complaint should explain the system accessed, the authorization limits, the data taken, the method used, the suspected person, the evidence and the damage.
A strong criminal complaint should include:
Company identity and authorized representative.
Description of affected systems.
Identity and role of suspected employee, contractor or third party.
Employment or contractual relationship.
Access permissions and limits.
Date and time of suspicious access.
Logs showing access, download, transfer or deletion.
Description of stolen trade secrets, source code or customer data.
KVKK impact if personal data is involved.
Evidence of competitor use, if any.
Financial and commercial damage.
Legal qualification under Articles 243 and 244.
Requests for device examination.
Requests for provider, platform, IP and telecom records.
Requests for preservation of evidence.
If source code is involved, the complaint should include repository evidence, project ownership documents and technical explanation of why the code is confidential and valuable.
13. Civil Remedies and Injunctions
Criminal proceedings may punish the offender, but companies often need urgent civil remedies to stop use of stolen data. Civil remedies may include compensation claims, injunctions, unfair competition claims, return or deletion of data, prohibition of customer solicitation based on stolen data, and evidence preservation.
In trade secret cases, urgency is important. If a competitor is about to use stolen source code or customer data, waiting for a criminal investigation may not be enough. The company may need interim measures to prevent disclosure, copying, use or further transfer.
Potential civil claims may seek:
Immediate cessation of unlawful use.
Return or destruction of copied files.
Prevention of disclosure to third parties.
Prohibition of customer solicitation based on stolen data.
Compensation for lost profit.
Compensation for loss of competitive advantage.
Forensic examination.
Evidence preservation.
Publication of judgment where applicable.
The requested measure must be proportionate and supported by prima facie evidence.
14. Internal Investigation Principles
Companies often conduct internal investigations before filing a complaint. This is necessary but must be done lawfully. An internal investigation should not become a privacy violation or evidence contamination exercise.
A lawful investigation should:
Define the scope.
Preserve original evidence.
Limit review to relevant systems.
Avoid unnecessary examination of private employee content.
Document who accessed evidence.
Secure company devices.
Review logs before account deletion.
Coordinate with legal counsel.
Protect privileged communications.
Assess KVKK obligations.
Prepare a clear incident timeline.
If employee e-mails or devices are examined, the company should consider workplace privacy principles, internal policies and proportionality. A company-owned device does not automatically justify unlimited review of private materials.
15. Source Code and Software Ownership Evidence
In source code theft cases, ownership and authorship may be disputed. A developer may claim that they created the code personally or that similar code is based on open-source materials. The company must be ready to show that the code belongs to it.
Useful evidence includes:
Employment agreement.
IP assignment clauses.
Project assignment records.
Repository history.
Commit logs.
Internal development tickets.
Code review records.
Product documentation.
Confidentiality agreements.
Access restrictions.
Proof of commercial use by the company.
Comparison with competing code.
If open-source components are involved, the company should separate proprietary code from open-source materials. The claim should focus on confidential and proprietary elements rather than publicly available libraries.
16. Customer Data and Commercial Damage
Customer data theft can cause immediate and long-term damage. The former employee or competitor may contact customers, undercut prices, misuse contract terms, imitate sales strategy or damage trust.
The company should document:
Which customers were contacted.
Whether customers received offers from the former employee or competitor.
Whether pricing was unusually similar.
Whether customers terminated contracts.
Whether customer complaints mention data misuse.
Whether sales dropped after the incident.
Whether the competitor used non-public information.
This documentation is important for both compensation and unfair competition claims. Courts need concrete damage evidence, not only general claims of harm.
17. Defence Strategies in Corporate Cybercrime Allegations
Persons accused of corporate cybercrime may include former employees, developers, IT staff, contractors, executives, competitors or account holders. Defence strategy depends on the alleged conduct.
Possible defence arguments include:
Access was authorized.
The data was not confidential.
The data was publicly available.
The accused did not copy or transfer the data.
The logs do not prove personal use.
Shared accounts were used by multiple persons.
The company failed to revoke access.
The download was for legitimate work purposes.
The source code was independently developed.
The customer list was built independently.
The evidence was collected unlawfully.
The case is a civil employment dispute, not a crime.
Article 244 is excessive because no data was altered, deleted or transferred.
Defence should focus on authorization, intent, data classification, evidentiary reliability and legal qualification. A username or IP address may be relevant, but it does not automatically prove criminal guilt.
18. Preventive Measures for Companies
Companies can reduce corporate cybercrime risks through legal and technical controls:
Role-based access control.
Multi-factor authentication.
Repository access management.
CRM export restrictions.
Data loss prevention tools.
USB restrictions.
E-mail forwarding controls.
Cloud access monitoring.
Employee confidentiality agreements.
Source code IP assignment clauses.
Vendor access controls.
Offboarding procedures.
Periodic access reviews.
Log retention.
Incident response plan.
KVKK breach response plan.
Cybersecurity training.
Trade secret classification policy.
Prevention is legally valuable. If a company later files a complaint or defends itself in a regulatory review, evidence of reasonable controls strengthens its position.
19. Offboarding Checklist
When an employee or contractor leaves, the company should:
Disable e-mail access.
Revoke VPN access.
Remove repository permissions.
Revoke cloud storage access.
Disable CRM and ERP accounts.
Change shared passwords.
Recover company devices.
Remove social media admin rights.
Review recent downloads.
Check e-mail forwarding rules.
Preserve logs.
Obtain signed return documents.
Remind the person of confidentiality obligations.
Monitor unusual customer contact after departure.
Many corporate data theft cases happen because offboarding is weak. Access that should have ended remains active, and former employees exploit this gap.
20. Practical Checklist After Discovering Corporate Data Theft
A company that discovers suspected trade secret, source code or customer data theft should:
Preserve all logs immediately.
Do not delete the suspect account before exporting evidence.
Secure affected systems.
Identify what data was accessed or copied.
Determine whether personal data is involved.
Assess KVKK notification duties.
Review employment and confidentiality documents.
Preserve devices where legally possible.
Conduct a lawful internal investigation.
Prepare a criminal complaint.
Consider civil injunctions.
Notify insurers if relevant.
Document financial and commercial damage.
Review whether a competitor is involved.
Update security controls after containment.
The response must be fast but disciplined. Panic may destroy evidence. Delay may allow further misuse.
Conclusion
Cybercrime against companies in Turkey is a multi-layered legal issue involving criminal law, data protection, unfair competition, employment law, contract law and digital evidence. Trade secrets, source code and customer data are valuable corporate assets. When they are accessed, copied, transferred, deleted or used unlawfully, Turkish Penal Code Articles 243 and 244 may apply. Article 243 addresses unlawful access to information systems, while Article 244 addresses system disruption and data deletion, alteration, transfer or inaccessibility.
If customer or employee personal data is affected, the company must also assess KVKK breach notification obligations. The Personal Data Protection Board’s Decision No. 2019/10 requires notification to the Board without delay and no later than 72 hours after becoming aware of a breach where processed personal data is obtained unlawfully by others. If trade secrets are involved, unfair competition and civil remedies may be essential because Turkish trade secret protection is generally linked to unfair competition and related legal mechanisms.
For companies, the strongest strategy is prevention, evidence preservation and precise legal action. Access rights must be controlled, source code repositories must be protected, customer data exports must be monitored, employees must be bound by confidentiality obligations and offboarding must be strict. When an incident occurs, the company should preserve digital evidence, assess KVKK duties, prepare a detailed criminal complaint and consider urgent civil injunctions.
For suspects and defendants, the key issues are authorization, intent, data classification, reliability of logs, lawful evidence collection and whether the dispute is truly criminal or primarily civil. Corporate cybercrime cases are technically complex, and every allegation must be tested against the statutory elements.
In Turkey’s digital business environment, trade secrets, source code and customer data can define a company’s market position. Protecting them requires cybersecurity, legal governance and fast legal response when corporate cybercrime occurs.
Yanıt yok