What could be an even bigger scandal than this week’s surprising leak of 72 million Turkish citizens’ personal information?
Perhaps that Turkey’s government knew about the breach—in which the government was duped by hackers into handing over practically their entire country’s basic identifying information—since at least 2010.
The info was released to the world by Thomas White, who goes by @CthulhuSec on Twitter. A U.K.-based Tor hidden service developer and privacy activist, White published the “Turkish Police Data Dump,” a 17.9 GiB database and a search tool, on his website on Feb. 15.
According to White’s statement, the data was collected from Turkish National Police by a hacker known as “ROR[RG],” who White said had “persistent access” to Turkey’s government infrastructure for the past two years, and who decided to release it in the light of “various government abuses.” The Turkish government has cracked down on its citizens in a number of ways in recent years, including stifling social media and imprisoning journalists, in the name of mitigating terrorism.
ROR[RG] previously made a name for himself when he attempted to extort dating service AdultFriendFinder by leaking their database on Dark Net forums in April 2015. White, on the other hand, is known to offer help to distribute leaked data for public use, such as the Fraternal Order of Police and the HackingTeam breaches previously reported on by the Daily Dot.
The “Turkish Police Data Dump,” however, is not about the Turkish Police, nor was it actually taken from them.
After the files were made public, an anonymous IT security expert, c2vkyxq, posted a detailed analysis about the data dump and the search tool on Turkey’s largest online forum, Ek?i Sözlük. C2vkyxq found that, while the database is in the open-source MySQL format, which is used by many commercial websites, the data itself is encrypted. A search tool provided by the dump, however, also works as the decoder of the data.
The data, reviewed by the Daily Dot, has Turkish-language query boxes for basic census data: first name, surname, citizenship number, sex, address, and date and place of birth.
However, as many commentators pointed out, neither the database nor the leak is new. The database files are from April 2009, as are the configurations to run the database offline. The code for the search software, however, was compiled into its latest form in 2013. It retains deactivated commands for prompting username and password and for returning queries from a distant commercial server, which is now offline.
Though the data wasn’t previously so easily searchable for anyone, its existence was revealed in July 2010. A news article from published in Turkish daily Hürriyet mentions of a small crime ring which sold such databases for only $200.
According to Hürriyet’s report, the hackers posed as an IT company that develops “a special software which provides ID information of any person within 25 seconds” to assist law firms and real estate agents in cases of loans and credits. Another news article added that the company had separate software packages for license plates and phone numbers, and the cyber crime police believed that, before the crime ring was busted, the software was sold to some 1,500 law firms across Turkey. There are posts from 2010 on lawyers’ forums where users asked about the legality of using this software and sysadmin forums where young ITs looked for advice for cracking this database.
There is no doubt that the data is official state records from MERN?S, Turkey’s citizenship number system, but the source of the original leak is currently unknown. Turkey has legal barriers that prevent government offices, including the Turkish National Police, to hold the leaked database in its entirety. However, a civilian task force of cyber security experts found that the Turkish citizenship numbers are linked to an algorithm that would have made it possible to make systematic queries to collect the database.
Without a transparent administrative investigation, and without political accountability, we will never know how the personal information of 72,000,000 Turkish citizens could be obtained. But one thing’s for certain: It’s now available for anyone who wants it.
Illustration via Fernando Alfonso III