On Monday, an anonymous hacker posted a data file containing personal data on 50 million Turkish citizens, including their addresses, birthdates, and the national identifier numbers issued by the Turkish government.
Wired reports that the hacker threw in some taunts directed at the Turkish government and President Recep Tayyip Erdogan:
Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure? Do something about Erdogan! He is destroying your country beyond recognition.
The hacker also took a shot at U.S. presidential candidate Donald Trump in one of his comments, phrased in a way that suggests he is American: “Lessons for the US? We really shouldn’t elect Trump. That guy sounds like he knows even less about running a country than Erdogan does.”
The UK Telegraph adds that the hacker offered some mocking cyber-security “lessons” to Turkish authorities, such as, “Bit shifting isn’t encryption; index your database. We had to fix your sloppy DB [database] work; Putting a hardcoded password on the UI [user interface] hardly does anything for security.”
The Turkish government’s initial response was to dismiss the data breach as an “old story,” suggesting that the data file dates back to 2008 and was apparently stolen several years ago, although this is the first time it has been posted on a public site in decrypted form.
Wired, however, quotes experts who determined much of the data is still accurate, even after eight years, and the Turkish government may be conflating this massive breach with a much smaller data theft from 2010 to downplay its significance.
Wired brooks no such downplaying, concluding that “this national scale privacy breach for Turkish citizens has gone from an underground leak to a full-on, mass data disaster.”
On Wednesday, the Associated Press reported Turkish Prime Minister Ahmet Davutoglu said, “Our citizens must be reassured that measures are being taken,” and he promised that his government would implement some sort of defense against data theft, although he did not elaborate. It was also announced that prosecutors in Ankara were investigating the data leak.
The Daily Sabah says the data file appears to have been stolen from the state agency that issues identity cards, and notes the number of leaked identities is very close to the number of registered voters in Turkey.
The Daily Sabah also mentions that the site where the Turkish data was posted “appears to be hosted by an Icelandic group that specializes in divulging leaks, using servers in Romania,” although that group may not be directly connected to the hackers who actually stole the data.
While several Turkish officials claim the data is not valid, the Associated Press says it randomly tested a number of entries and discovered they all correctly reflected the personal information of the individuals in question.
Several observers note this hacker attack on Turkey may be one of the largest data breaches in history, perhaps second only to the Office of Personnel Management disaster in the United States, and that 50 million compromised citizens represent well over half the population of Turkey.