Middle East

Turkey investigates leak of 50 million citizens’ data

File picture illustration of the word 'password' pictured on a computer screen, taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

ISTANBUL: Turkey’s authorities launched a probe Wednesday into a leak of the personal data of some 50 million Turkish citizens, the latest breach to expose weaknesses in the country’s information security.

The massive database – containing Turks’ names, identity numbers and addresses – was posted online by hackers earlier this week along with sharp jabs at the country’s leadership.

Ankara federal prosecutors have opened an investigation into the data spill which risks exposing most of Turkey’s 78 million Turkish citizens to identity theft and fraud, Turkish media reports said.

Local media said the site where the data was posted appeared to be hosted by an Icelandic group that specializes in divulging leaks, using servers in Romania.

An online statement was posted by the hackers under the headline “Turkish Citizenship Database,” pointing out weaknesses in the country’s protection of data in a section called “lessons to learn for Turkey.”

It offered a hint of what the database contains, providing the personal data of President Recep Tayyip Erdogan, Prime Minister Ahmet Davutoglu and former president Abdullah Gul.

“Putting a hardcoded password on the UI [User Interface] hardly does anything for security. Do something about Erdogan! He is destroying your country beyond recognition.”

“Who would have imagined that backward ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?”

Tuncay Besikci, a computer forensics expert at auditing and consultancy firm PwC, confirmed to Reuters the file contained ID numbers and personally identifiable information of at least 46 million citizens.

Transport and Communications Minister Binali Yildirim initially brushed off the leak as an “old story” but Wednesday confirmed the security breach, saying “we now know who leaked it.”

He said the data was from electoral records that the state shares with political parties before elections.

However, Besikci, the computer expert, said he believed the data was taken from the government’s official Population Governance Central Database in or around 2009 and later illegally sold on to firms that dealt in asset foreclosures.

Yildirim suggested the breach had been the work of “the parallel structure” – a phrase used to describe a network run by Erdogan’s arch-foe, the U.S.-based cleric Fethullah Gulen.

Gulen is often accused of running a parallel state aimed at usurping Erdogan and his supporters are a favored target of government.

“In line with the law, additional measures are being taken as regards the access of personal information,” Yildirim said, warning of “serious prison terms” for those who divulged confidential data.

Justice Minister Bekir Bozdag said the investigation would focus on “where this was leaked from, finding out how it was leaked.”

Several Turks on social media reported finding their details in the database, but Yildirim advised citizens not to expose themselves further by digging around in the file.

“Don’t go there, it is a trap. They want to get more data that belongs to you,” he said.

Turkey has been working on a new data protection law for over a decade, a step that is crucial as part of the process of accession to the European Union.

The latest version of the draft law was sent to parliament in January and the communications minister said it would come into force imminently.

“People who do things like this will have to give account for what they have done. Previously, there was no legal framework. With the president’s approval it will come into force soon,” Yildirim said.

The U.S. has also been exposed to massive data leaks, with hackers gaining access to some 20 million personnel records for U.S. government employees and contractors last year.

Turkey was also targeted by hacktivist group Anonymous in December with a massive cyber-attack and threats of continued attacks against a country it said was “supporting the Islamic State [Daesh] by buying their oil and tending to their injured fighters.”

The December hacking involved a flood of disruptive traffic, known as a DDoS (Distributed Denial of Service) attack, where computers target specific Internet sites, resulting in web speeds plummeting.

A version of this article appeared in the print edition of The Daily Star on April 07, 2016, on page 9.




Your feedback is important to us!

We invite all our readers to share with us their views and comments about this article.

Disclaimer: Comments submitted by third parties on this site are the sole responsibility of the individual(s) whose content is submitted. The Daily Star accepts no responsibility for the content of comment(s), including, without limitation, any error, omission or inaccuracy therein. Please note that your email address will NOT appear on the site.

Alert: If you are facing problems with posting comments, please note that you must verify your email with Disqus prior to posting a comment. follow this link to make sure your account meets the requirements. (http://bit.ly/vDisqus)

comments powered by Disqus



Interested in knowing more about this story?

Click here