Cyber Threat Actor: Former Rezzan Gnday (?im?ek Pharmacy) employee
| Actor Type | Location | Known Incidents |
Insider - Disgruntled
|
Turkey
|
2 incidents |
|---|
Profile
The threat actor is identified asa former employee of Rezzan Günday (Şimşek Pharmacy) in Turkey, frequently referenced by the alias “Former Rezzan Gnday (?im?ek Pharmacy) employee.” The individual’s location is confirmed to be Turkey, where the pharmacy conducts its operations. The actor’s actions constitute an insider threat, stemming from the misuse of access privileges that remained valid after the employment relationship ended. This status enabled the actor to interact with internal systems without triggering external intrusion alerts.
The actor’s activities were directed at the pharmacy and healthcare sector within Turkey, focusing on the extraction of personal data held by the business. The compromised information included national identification numbers, telephone numbers, and special category health data belonging to customers. The stolen data was transferred to another pharmacy without the knowledge or consent of the affected individuals, an action undertaken to facilitate the supply of drugs from other pharmacies. This objective reflects a clear operational aim tied to the procurement and distribution of medication rather than espionage or disruption. The breach involved the handling of sensitive personal data classified under Turkish law as special category, underscoring the privacy implications of the incident.
The unauthorized access and data exfiltration began no earlier than October 2019 and continued until the breach was identified, indicating a prolonged period of misuse. The Turkish Data Protection Authority (KVKK) announced the breach publicly on 18 August 2020, noting that the violation had persisted since October 2019 and that the compromised data comprised ID numbers, telephone numbers, and health‑related special category information. No publicly available evidence connects the actor to any state‑sponsored group, criminal consortium, or broader malware campaign; the incident is confined to the abuse of legitimate insider credentials. Consequently, the actor’s tactics are limited to credential abuse and data transfer, with no reported use of malware, phishing, or external hacking tools. This case illustrates how former employee privileges can be exploited for illicit data movements within the Turkish healthcare sector.
