50 million PII Records of Turkish Citizens Posted Online

Hackers have dumped a database apparently containing personal details of almost 50 million Turkish citizens. The details were posted to an Icelandic organization that specializes in such data dumps. According to SecurityWeek’s research, the server is hosted in Bucharest, Romania.

Most commentators believe that the data is genuine, although there is some suggestion that it is not entirely new. Jacob Appelbaum commented on Twitter that if genuine, it would represent one of the largest breaches since the massive Office of Personnel Management (OPM) breach. The subsequent Twitter thread indicates that the data may come from the Turkish citizens who voted in the 2009 elections. 

Personal details within the data include the Turkish National Identifier, name and address, parents’ first names, sex and age.

While the data leaked may not be incredibly sensitive, the reality it that simple matching of this data with either guessed or otherwise acquired email addresses will lay 49,611,709 people open to phishing, spear-phishing, scamming and identity theft.

“We have received information, that the bad actors on “Dream Market,” where previous data leaks were sold (such as from TheNeoBoss on hacked porn networks), had placed the decrypted database of Turkish National Police there some days ago,” Andrew Komarov, chief intelligence officer at InfoArmor, told SecurityWeek. 

It is largely assumed that the motive for the dump is political. Many groups both within and outside of Turkey, including Anonymous, have declared cyber war against the Turkish government.

“Previously, this database was published at https://turkey.thecthulhu.com/ with hashed data, but it looks like some bad actors are looking for the data from this region and that’s why they have invested some efforts in cracking it,” Komarov said.

“[At] the same time, the same rounds of bad actors were actively discussing Turkey’s national database, but without any clear details or estimated price. Turkey is definitely very specific region, having many geopolitical overlaps, that’s why absolutely different bad actors by motivation and ideology may target it,” he continued.

However, the hackers’ message accompanying the data dump seems to be more to ridicule the government than to attack it politically.

“Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?” say the hackers.

The hackers then offer four lessons that Turkey should learn: ‘bit-shifting isn’t encryption’; ‘we had to improve your sloppy DB work’; ‘don’t put a hardcoded password on the UI’, and finally, ‘get rid of Erdogan’ (the Turkish President).

But while dumping the data might be political, that doesn’t mean the original reason for the hack was political. We don’t know how long the hackers had the database before going public, nor do we know how many bad actors now have all of this personal data. While the dump might be political, the hack might have been simply financially-motivated criminality.

As Robert Capps, VP of Business Development at NuData Security, comments, “The real collateral damage will be to the millions of Turkish citizens who have had their identity compromised. In most cases, the most common result of such a breach is fraudulent account creation or existing consumer account takeover, something we have seen borne out year after year among our clients. Of the last billion account creations we analyzed, more than 50% were identified as illegitimate and/or fraudulent. With the level of information released in the recent Turkish breach, criminals have solid profiles on individuals that can be used to create new bank accounts, access existing accounts, or acquire false Government issued identification documents in order to perpetuate all manners of maleficence, including financial crimes and terrorism.”