Personal information of roughly 85mio Turkish citizens has been leaked, including ID-numbers and phone numbers

[HW100]

Summary

A website has surfaced where individuals can gain access to personal information of roughly 85mio Turkish citizens (the site appears to have already been taken down). According to Cumhuriyet, hackers have gained access to the database of e-devlet, a digital e-gov service by the Turkish government for it's citizens, where they can see all personal information and eventually replaces the need to go to local authorities to deal with bureaucracy. The leaked information includes ID-numbers, phone numbers, medical information, the whole family tree, marital status, level of education and much more. While information like phone numbers and ID-numbers are free to access, access to more specialized information (e.g. deed information) requires some sort of payment.

 

Quotes

Quote

It was revealed that the data of 85 million citizens was stolen from e-devlet, where all information form citizens are available. TC identity number, telephone, address and title deed information of 85 million citizens were published on a website.

Quote

According to Halk TV (a TV news station), by making an enquiry, it is possible to access the names of the mother and father, Turkish ID numbers, telephone numbers, information of relatives and even the Turkish ID number of the mother of the person. While this information can be accessed with a free membership, the website requires a paid membership for deed information and other private information.

Translated from Turkish by me.

 

My thoughts

Because I'm a Turkish citizen and have an e-devlet account, it directly affects me and I was absolutely shocked when I found out about the news. It also questions the trust of e-gov systems: How is it possible that hackers gained information about the whole population of a country? Funny enough, it isn't the first time something like this happened in Turkey, even though it was in a much smaller scale. There are some rumours coming from the main opposition party that the database was actually sold, but again, these are just rumours.

If they were able to hack such an important part of a countrys infrastructure, then really, what's next?

 

Sources (Turkish)

https://www.cumhuriyet.com.tr/turkiye/son-dakika-e-devlet-verileri-calindi-tc-kimlik-numaralari-bile-gozukuyor-2089112
https://www.cumhuriyet.com.tr/siyaset/milyonlarca-yurttasi-ilgilendiriyor-calinan-verilerle-ne-yapilabilir-bilisim-uzmani-yanitladi-2089198

https://www.cumhuriyet.com.tr/siyaset/veri-sizisi-skandalina-chpden-ilk-tepki-sattiniz-ya-da-satilmasina-imkan-saglayacak-ortami-yarattiniz-2089189

[Taf the Ghost]

@HW100Major ouch.  My sympathies.

 

Most likely scenario is that there's a front-end available for some government department and all it took was 1 compromised system to gain full access. An even moderately competent hacker group could have exfiltrated the entire database.

[xAcid9]

Oooff.. Did they gained physical access to servers when the earthquake chaos happened? 

[Taf the Ghost]

1 hour ago, xAcid9 said:

Oooff.. Did they gained physical access to servers when the earthquake chaos happened? 

That's a really good thought. Or a government office in the effected area. Horrible tragedies are, unfortunately, major opportunities for the nefarious. 

[HW100]

19 hours ago, xAcid9 said:

Oooff.. Did they gained physical access to servers when the earthquake chaos happened? 

Given that there was total chaos after the earthquake, it may seem likely that they've used this oppurtunity to gain access, but no news source/report indicates that the earthquake could be the reason for it.
Because it's Turkey and they don't really follow guidelines/code, it seems more likely that it was a coordinated attack on a compromised system like @Taf the Ghost mentioned. Like I said, something like this has already happened, but by a much smaler scale.

[NF-F12]

@Levent

[Kisai]

On 6/9/2023 at 5:20 PM, HW100 said:

According to Cumhuriyet, hackers have gained access to the database of e-devlet, a digital e-gov service by the Turkish government for it's citizens, where they can see all personal information and eventually replaces the need to go to local authorities to deal with bureaucracy.

Gee, and governments wonder why "government verified identity" online services are a BAD idea.

 

This is why. Start requiring government ID (to verify residency or age) to login to private services, and a leak will happen.

 

 

[Biohazard777]

On 6/10/2023 at 2:20 AM, HW100 said:

Website has surfaced where individuals can gain access to personal information of roughly 85mio Turkish citizens

That would be the whole population of Turkey...
ID cards in Turkey are compulsory from birth (if I am not mistaken).
 

3 hours ago, HW100 said:

Like I said, something like this has already happened, but by a much smaler scale.

Sure, not as bad as this, but:
50 mil : first & last names, addresses, parents' names, cities of birth, birth dates, and national ID numbers.
Not sure If I'd classify that as "much smaller scale".

Perhaps if that breach was taken more seriously, this newest breach wouldn't have happened...

[Levent]

Are we 100% sure it’s not the same old 2006 leak they are reusing?

 

Anyways, yemeksepeti leaks my details every other week. 

[HW100]

7 hours ago, Levent said:

Anyways, yemeksepeti leaks my details every other week. 

I laughed too hard at this

7 hours ago, Levent said:

Are we 100% sure it’s not the same old 2006 leak they are reusing?

For that I could've checked myself if I'm in the database, since my information is not included in the 2006 one. But the website appears to have already been taken down, so I must wait for another way to check it (IF another one surfaces).

[Mark Kaine]

12 hours ago, Kisai said:

Gee, and governments wonder why "government verified identity" online services are a BAD idea.

 

This is why. Start requiring government ID (to verify residency or age) to login to private services, and a leak will happen.

 

 

well, yes, because thats the wrong (and foolish) way to go about it... I've already said this a lot, but people don't seem to understand,  so its not surprising politicians and "experts" don't understand...

 

I.e. its a good idea to use personal / unique data to identify a given user, but it needs to be done through a code and heavily encrypted, so that even the client can't actually access the data, it only gets verified (by automatic decryption i suppose) but nobody has actually access at this point...

 

 

So say your identification number is "A0001B"... you log in with that number and also some kind of physical thing, like fingerprint,  iris, implanted chip, etc...

 

 

 

That way the data can hardly be leaked or misused,  and in case something actually happens you could still verify your identity in retrospect since you have the number (which may leak) and some sort of physical proof... 

 

 

So this may never be 100% foolproof, but much, much harder to be accessed on a widespread scale like it currently is.

 

(you just need to hack the server currently,  but if everything is encrypted with some kind of physical identification this should be nigh impossible to misuse)

 

 

Makes sense or no? (i really cant imagine any other way thats remotely "safe")

[Senzelian]

Business as usual. I might as well start selling my own data to at least make some money off of it before it leaks the 72938th time. 

 

Anyone interested?

[treadshuffle]

This doesn't seem to be a regular leak as far as I could find out. What they've done is 'invent' a new market segment I'd like to call 'LaaS' or 'Leaks as a Service' where you pay them a subscription fee per month to gain access to this data with an authorization key. Their website looks like a custom front-end for the government websites which they access using legitimate access keys bought from actual notaries and accountants, they actually advertise that they're looking for more people to provide said keys to them, in exchange for some kickback I guess. So it looks like they haven't actually dumped the data or parsed it into a single package, which I guess would draw suspicion to the few access keys they have, if they had millions of requests made to the back-end using them.