ALİ SAFA KORKUT
Massive data breach exposes personal information of 108 million Turkish citizens
A major data breach has exposed the personal information of 108 million Turkish citizens, including identity numbers, home addresses, and phone numbers. Among the stolen data are the addresses of 82 million individuals and the GSM numbers of 134 million. The Information and Communication Technologies Authority (BTK), responsible for safeguarding this information, acknowledged the breach and sought assistance from Google to remove the compromised data.
Details of the breach
The stolen data includes names, ID numbers, birth dates, and other sensitive information, such as family and individual record numbers, marital status, and even death records. Hackers stored this data across five different Google Drive files labeled “Refreshed TC,” “Address,” “GSM,” “101m,” and a second file titled “GSM.”
The breach was discovered by Turkey's National Cyber Incident Response Center (USOM), which promptly contacted Google for help in removing the files. USOM emphasized the need to protect citizens from phishing attacks, account hijackings, and other cyber threats.
The scale of the leak
The stolen files, totaling 42.18 GB in size, contain data on 108 million Turkish citizens, including 108,571,832 ID numbers, 82,322,190 home addresses, and 134,817,279 GSM numbers. The format of the files is not in the commonly used XLS or CSV formats, but instead in MySQL's MYD and MYI formats, used to handle large datasets. Hackers chose this database format due to its ability to process vast amounts of data quickly.
BTK reaches out to Google
In an urgent request, USOM asked Google to immediately remove the files and provide information on the accounts that uploaded them, including their IP addresses and port numbers. In letters sent on July 29 and September 3, USOM highlighted the importance of Google’s swift cooperation to protect affected users.
Past efforts to address data leaks
The Media and Law Studies Association (MLSA) had previously filed a lawsuit in 2023 after revealing a similar data breach. The lawsuit, filed against the Interior Ministry, was dismissed, prompting MLSA to take the case to Turkey’s Constitutional Court. MLSA argues that the authorities’ failure to protect personal data violates citizens' privacy, freedom of expression, and right to a fair trial. The organization warns that the exposure of this data poses a significant threat to millions of people.