Turkey’s communications minister this week is denying reports that personally identifiable information of 50 million of the country’s citizens has been leaked online.
On Monday hackers published what they claim is a Turkish citizenship database, a cache of information downloadable via BitTorrent, that allegedly includes details on 49,611,709 individuals. The information includes citizens’ names, national identification numbers, dates of birth, the cities they were born in, full addresses, genders, and parents names.
If the leak is legitimate, it could ultimately wind up being much worse than last year’s Office of Personnel Management (OPM) breach, which spilled information on 21.5 million U.S. government employees. For what it’s worth, Turkey’s population is roughly 79 million, meaning the database couldn’t possibly contain data on every Turkish national, but could account for roughly 63 percent of the country’s citizens.
If this is really what it claims, I think it is one of the largest security/PII breaches since the #OPM hack: https://t.co/xyFRTf2hHD
— Jacob Appelbaum (@ioerror) April 4, 2016
Binali Yıldırım, the Minister of Turkey’s Transport, Maritime and Communication office, refuted the breach on Tuesday during a meeting with the Turkish World Union of Engineers and Architects in Istanbul.
“This is a very old story. A similar allegation was made in 2010,” Yıldırım told reporters, according to Hurriyet Daily News, “This issue is brought to the agenda from time to time. It is now being served like a new story. These outdated reports are not newsworthy.”
It’s unclear exactly how old the information is, but there may be some validity to Yıldırım’s statement.
According to Eren Türkay, a systems administrator based in Istanbul, the leak may actually date back to 2008, but this is the first time that an attacker has taken time to dump the information in clear text. Türkay’s theory is the information may stem from when Turkey previously held general elections.
@mrkoot my theory is that it is still old leak from general elections. In previous election, ~49m people voted, which is close this site.
— Eren Türkay (@erenturkay) April 3, 2016
Others are claiming the breach is a merely decrypted version of a breach from February, in which a database was dumped by hacker TheCthulhu.
@ioerror It's the decrypted version of the leak, @CthulhuSec mentioned like 1.5 month ago. https://t.co/xCiqLPo0UZ
— Isik Mater (@isik5) April 4, 2016
Regardless, there’s some legitimacy here; the Associated Press, that broke the story, claims it was able to verify a handful of non-public Turkish ID numbers against the leaked database. Eight of the 10 ID numbers matched. In a subsequent story, he AP claimed the site is being hosted by an Icelandic group that leaked information in the past, using servers in Romania.
Hackers previewed the 6.6-gigabyte database in convincing fashion on Monday, posting information on the President of Turkey, Recep Tayyip Erdoğan, his predecessor, Abdullah Gül, and the country’s Prime Minister, Ahmet Davutoğlu.
Davutoğlu told reporters during a visit to Finland that the government was looking into the incident.
“Our citizens must be reassured that measures are being taken,” Davutoğlu said.
The fact that the attackers chose to dump the information and publicize it this week appears to be politically motivated. Attackers called out Erdoğan in particular on the site that’s sharing the information and cite “backwards ideologies” and escalating extremism in the country.
Erdoğan and the Turkish government have garnered a considerable amount of backlash recently regarding a maligned data protection law which passed last month.
The sweeping law allows the government to collect sensitive information like citizens’ race, ethnicity, personal religious and philosophical beliefs, any image or sound recordings, genetic data, IP address, hobbies, medical data, and even their appearance.