Banks treat customers’ personal information as a throwaway asset and then try to avoid taking responsibility when the leak becomes public. This happens all over the world.
The casual handling of customer data and the institutional instinct to reject accountability when that data surfaces somewhere it should not is not a local problem. It is a global one. Seen through that lens, the Court of Cassation’s 2025 ruling against Türk Ekonomi Bankası (TEB) carries weight that extends well beyond the courtroom where the Tatlıcı mother and son, Ugur Tatlici and Nurten Tatlici, sought justice for what happened to their family’s financial records.
The case has its origins in a routine judicial request. Or, what should have been one.
In 2009, a Turkish court directed TEB to produce account records spanning a single decade, records tied to the estate of Mehmet Salih Tatlıcı, the Turkish tycoon whose death led one of the country’s long-lasting inheritance disputes. The request was circumscribed and unambiguous, covering the 10 years before 2009.
Eight years later, in April 2017, the bank’s oversight ledmore than a thousand transactions covering the 10 year period dating back from 2017 onto the court’s digital filing system, producing a record of financial activity that extended well beyond the scope of any court order.
Within weeks, those records were circulating on the internet. For Uğur and Nurten Tatlıcı, and for other members of the Tatlıcı family whose identities remain protected, and the other third parties, the exposure was comprehensive and personal. Though it is unknown what were the parts of that record, every financial transaction, every deposit, every credit repayment might have suddenly rendered visible.
TEB moved to have the documents removed from the system, but the request arrived after the damage had already spread. The lower courts in 2019 dismissed the mother and son’s claim for non-pecuniary damages.
Turkey’s top appeals court threw out the earlier rulings and sided with the Tatlıcı family. The court said TEB had broken its obligations and the fact that a third-party website had later published the leaked records did not change who was responsible for the leak in the first place. That responsibility sat with the bank.
In September 2025, a Istanbul court went one step further and ordered TEB to pay damages to the Tatlici mother and son, and perhaps others, whose financial lives had been laid bare without their permission.
Across the world, similar stories keeps getting unfolded.
In the United States, Evolve Bank & Trust suffered a breach in 2024 that exposed the personal information of roughly eighteen million customers. The bank eventually settled a class‑action suit for nearly twelve million dollars and paid an additional three‑million‑dollar settlement for separate claims.
Across the Atlantic, the United Kingdom’s Equifax was slapped with an £11 million fine in late 2023 by the Financial Conduct Authority after regulators discovered that the firm had failed to monitor outsourced data processing, left encryption gaps wide open, and neglected essential software patches.
Down under, Westpac experienced a breach of its PayID platform in 2019 that exposed around one hundred thousand customers. Although no fine has been issued yet, the Australian privacy regulator has opened an investigation, and the bank is already spending millions on remediation.
Each of these incidents shares a familiar script where a bank mishandles data, a third party (or a hacker) amplifies the exposure, and the institution reacts slowly, often only after regulators or lawsuits force its hand.
What the data tells us about the root causes
Unlike many U.S. and European banks that face multi‑million‑dollar fines, it is unknown whether there is a monetary penalty entered for TEB. This has not been publicly disclosed. The court awarded damages to Uğur and Nurten Tatlıcı, whose exact amount remains unknown. And again, there might be other third parties who have been awarded damages, but their identities are not disclosed.
A personal note
When I first read about what happened to the mother and the son Tatlicis, I thought about how scary it must be to see your bank statements, which used to be private, being looked at by strangers on the internet.
It reminded me of a friend who, after a data breach at his employer, felt exposed every time he logged onto his phone, fearing that his personal habits were now public property.
In one of the Turkish TV series, highly known and watched Cranberry Sorbet, Gorkem collaborates with a bank to uncover his husband, Fatih’s financial information. She visits the bank by promising to become a major client to the bank offices and convinces bank officer to access details linked to Cansu, the woman Fatih having an affair.
Like many dramas, this series also mirrors social realities and cultural behaviours.
These kinds of scenes make me think about how hard it is to properly trust Turkish banks to respect their customers’ privacy.
Turkey’s highest court finally held TEB accountable.
I only hope that this will set a precedent that could bring better practices to banking‑secrecy in Turkey.