The nation of Turkey has been reeling from terrorist bombings in its biggest cities, a teeming refugee crisis, and a president who wants to rewrite its constitution to give himself more power. Now, in the midst of those calamities, it's also been hit with what appears to be an enormous data breach, one that affects the majority of the country's citizens.
On Monday, an unnamed hacker posted to the web a 1.4 gigabyte compressed bittorrent file that appears to contain personal data on 50 million Turkish citizens, including their names, addresses, parents' first names, cities of birth, birth dates, and a national identifier number used by the Turkish government, all of which were verified as authentic by the Associated Press. The leak also included a taunting message referring to sloppy data protections and a hardcoded password that allowed the entire unencrypted database to be siphoned from the Turkish government's servers.
"Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?" reads a statement on the site hosting the leaked data. "Do something about [Turkish President Recep Tayyip] Erdogan! He is destroying your country beyond recognition."
The hacker or hackers behind the breach seem to be American, based on another comment they posted with the leaked data referring to presidential candidate Donald Trump: "Lessons for the US? We really shouldn't elect Trump," it reads. "That guy sounds like he knows even less about running a country than Erdogan does."
Turkey's government, for its part, has downplayed the leak as an "old story," arguing that the data had actually been first leaked in 2010---though critics counter that the data wasn't actually posted online in a decrypted form until now. "This issue is brought to the agenda from time to time. It is now being served like a new story. These outdated reports are not newsworthy," Turkish Communications Minister Binali Yildirim told reporters at a press conference Tuesday, according to the Turkish newspaper Hürriyet. But he simultaneously acknowledged that "cyber threats" were a growing problem and that the government would create a seven-person council to bolster the country's protections of personal data.
The dumped data does seem to be from 2008 and doesn't include credit numbers, email addresses or passwords. But its sheer scale represents a potential privacy nightmare for Turkish citizens: With Turkey's population numbering around 80 million, the leak covers more than half the country. And even data like addresses and birth dates can serve as a starting point for identity theft in the hands of hackers who manage to cross-reference the breach with other stolen data.
As for the government's claims about the data's age, that's little comfort, says Isik Mater, a Turkish privacy activist and president of Alternative Informatics Association. "I searched my name on the list and reached all my family data," she writes to WIRED. "It doesn’t matter if the data is from 2008 because I still have the same name, same last name, same home address and obviously the same national ID number so it means that, the leak data is up-to-date for me and for lots of other people which makes the leak very, very serious."
Mater discounts the Turkish government's claim that the breach is "old news," arguing that the 2010 breach it referred to was far more limited: She points to a Hürriyet report from the time that describes a crime ring selling an even larger version of the database privately, but not dumping it on the internet. "Probably some law firms and real estate agencies used the [data] secretly," Mater says. But the data wasn't online until last month, she adds, when she says a hacker known as TheCthulhu posted an encrypted version of it.
It's not yet apparent how or if that same hacker was involved in the latest leak of the fully decrypted database. But it's clear that now that the database has been leaked again in a more far more accessible form---WIRED was able to download the full database in minutes---this national scale privacy breach for Turkish citizens has gone from an underground leak to a full-on, mass data disaster.
