Hacker News new | past | comments | ask | show | jobs | submit login
Turkish citizens' personal data offered online after government site hacked (balkaninsight.com)
321 points by giuliomagnifico on June 9, 2023 | hide | past | favorite | 83 comments



Turkey's govt actually has quite a robust IT infrastructure and the Turkish citizens can do pretty much anything through the turkiye.gov.tr portal. It's really useful, you can even cancel subscriptions to services and utilities from there. You can book appointments for documents services or hospitals, see all your medical history or even heritage records.

These leaks keep appearing since many years but their origin is not necessarily a hack of the government infrastructure. The leaks usually occur at election cycles because the address based electorate data is handled and processed by the political parties(which are not exactly IT elites) and gets stolen or leaked.

Then there were high profile hacks of large food delivery services or other e-trade platforms.

All this resulted in people collecting and merging data from multiple leaks and re-selling those.

Edit: At some point, all the lawyers were using this data to track down people relevant to their court cases. They were selling it in CD format back then. Scammers and other criminals probably use this data too.


Every time I try to search for a phone number (Bing/ddg) I get pages and pages of clearly auto generated fake names associated with numbers, all hosted on that same Turkish government portal. I don't know why.


Does anyone know the purpose served by those reverse phone number search sites that list hundreds of thousands of fake names and fake addresses?


The purpose is to serve ads and make money. They can do that because people will search for unknown numbers and names.


When these fake name/number sites first appeared about 5-8 years ago, they didn't have any ads or even outgoing links. (I looked without an ad blocker.) Ads might be the explanation for many of them today, but I don't think it's the original or sole reason. Though I suppose it may have begun as a proof of concept without ads to gauge the traffic, then ads got added years later.

I've read speculation that they were started by telephone spammers to poison the utility of those who-called-me websites that highlighted spammers' phone numbers. I don't think that's the real reason either. It sounds too cute and clever for spammers. (As an aside: nowadays those services are useless since spammers can so easily fake the caller-ID.)

I'm still thinking that there is an interesting story for the original purpose.


I get similar -- see my comment. But never gov.tr


These are not on a goverment site, just the usual SEO spam.


Interesting, Are you sure it’s turkiye.gov.tr?


Not entirely sure, no. Happens on work PC using Chrome (with uBlock Origin and most lists activatsd), but not at all on phone using Firefox, despite identical searches just tested now. I don't know enough about how this works to say much more.


Do the data shared with political parties contain real estate deeds?


I'm not sure what exactly it contains but all those leaks contain Name, Address and your national identity number(something like social security number). It must also contain the birthplace and date because the last elections there was question over how many refugees got citizenship and the opposition said they checked the birthplaces and the number is not too high.

BTW, this data is available for the citizens too during the election cycle so you can check who lives in the same building with you and correct any mistakes. The list of the electorate is also attached at the polls so anyone can check for something fishy.

Then in Turkey there's this obsession with companies about collecting as much as info possible about you, so when the food delivery service is hacked the hackers now can easily add your phone number, update your current address by matching your national identity number because for some reason they need to have that info to deliver some kebab.

Also, this national identity number is generated through some algorithm which gives away your relatives and thanks to this, the hackers can also build your social graph from the leaks. Here is a repo about that algo: https://github.com/kerematam/akrabatcno

AFAIK it’s used in “your grandson had an accident and needs emergency surgery, send this much money ASAP” scams.


> update your current address by matching your national identity number because for some reason they need to have that info to deliver some kebab

Publuc wifi at O2/millenium dome in london us almost as bad.

We really need to make extraneous data a liability and a risk burdain to business.


In the EU this is already the case. You are only allowed to collect what you need for a specific purpose.


> AFAIK it’s used in “your grandson had an accident and needs emergency surgery, send this much money ASAP” scams.

Sad to hear that that scam is also used in Turkey, some very low and despicable people also use it here, in Romania, targeting elderly people, and it’s really vile. I explicitly warned my parents not to fall for it in case someone calls them.


> this data is available for the citizens too during the election cycle so you can check who lives in the same building with you and correct any mistakes.

Why are they crowdsourcing a task that is a basic bureaucratic process in any state?

I mean, is Turkey a state that doesn't know who its citizens are and where they live?


It's primary function is to prevent election fraud. In Turkey, elections are a serious business with participation rate above 85% and people are meticulous about the process.

Also, in Turkey the address registration is self declaration based and the government doesn't actually check if you live there. So theoretically, it can be possible for a political party to arrange it's voters distribution in such a way that it is advantageous for them. The idea is that citizens should be able to check against such things.


I'm from Italy. When I change the place where I live I declare the new address and before they update my data an officer comes and checks that I really live there. They can get in and check that's not an empty house and I'm only pretending to live there, if they want to. The check is usually nothing more than peeking through the door though.

It seems an easy task to perform.


Wow that's creepy even for me, who lived for many years in Turkey. In Turkey, the only check is a reference from someone who is already registered in that address. All this can be done online, you declare your new address from turkiye.gov.tr and someone who's registered in that address can approve your declaration.

Do you know that in UK they don't even have such a registry? The government doesn't know where you live(at least officially) and when you need to apply for something that requires proof of address they would use bank statements on your name sent by mail to that address.

I wonder how do you feel about it? Do you think that the Italian approach is better? Why would the government has to know where you live for sure? Is it to prevent benefit frauds?


No idea, it's been like that since forever AFAIK. At least it solves a lot of problems (you just show your photo id) and basically everybody you have a contract with would know that information anyway, utilities, banks, etc.

Edit: there is a difference between the place you live and the place you are registered into. Example: a student is registered at parents' home and goes to study at a university in another city. He rents a room there. He has a contract there and the landlord must notify that the student lives there (since the terrorism laws in the 70s) but the student is still registered and votes at the city of his parents unless he registers at the other city.

This is common also for workers. Maybe they live for years in a city (and the state knows) but they are still registered on their home one.


In the UK we have the electoral register. In order to vote, you need to be registered to it. The government most definitely does use it, as do credit scoring agencies and identitity verification services.

A lot of places do accept bank statements as a backup if you are not on the electoral roll.


That sounds wildly inefficient.


They claim they have land registry records as well. Those are not part of the election database that was leaked eons ago.

Your comment is not accurate.


They claim things but the screenshots I've seen did not have any of those.

check this: https://eksisozluk1923.com/img/bei0vtuj

It's the usual stuff: id number, name, birthday, address, phone.

Then they have the "relatives", which is deductible from the id number.

Then you have some promotional materials advertising the sale of additional data but I have not seen anyone confirming it.


It is a bit premature to declare this leak "more of the same" because I am hearing people's medical records are out in this one. That would point to a new, probably wider leak.


That would be interesting, any links to reports about wider than the "usual" leaks?


A few anectodal things from ekşisözlük claiming people were able to look up the medicines they are taking. Nothing conclusive and I didn't really have the chance to do a deep dive with my current bandwith. The files are supposed to be around 64GB.


Do you have a link to the files? I want to check this out.


Sorry no. I have to find it too. I can't do anything right now because I am on metered 4G.


Please read the article linked, they claim they have land registry records as well :/.


They claim things but the sources are not of good quality. The screenshots I've seen were the usual data: Name, address and phone number.


That might be because some interface(s) are supposed to show something like demo data when you enter an ID number. They want a membership for more. But this is speculation. I am sure we'll find out in a few days when it's already forgotten.


"You can book appointments for documents services or hospitals, see all your medical history or even heritage records"

you must be crazy if you think this is a good idea


It’s very convenient, one of the perks of a totalitarian government with sound IT infrastructure.


I agree that it's very convenient and I use it myself too: much better than going into crowded offices with bureocracy etc.

On the other hand, in case of a breach/hack, it becomes a serious problem.


Turkey has an universal healthcare system, government has to have all that info anyways. You have option to hide specific items from your medical history so not even your doctors can see them. Every access to your records by your doctors are also logged and reported.


why do you think it is a bad idea?


My country publishes everyones data which then is offered by a number of services: https://mrkoll.se as an example.

I wrote a blog article about it: https://commit.pizza/2022/10/16/the-only-way-of-being-anonym...


Do you see any negative aspects in day to day life since the data is published?


An aspect of this that some people find problematic is that many employers use these services to do background checks on individuals before hiring. Background checks are of course customary for some positions, in which case official police records will be retrieved with the candidate's knowledge or consent. For positions where background checks haven't historically been customary, these services will often be used instead, since they are much faster and cheaper in terms of administration, don't require consent and don't notify the candidate that they have been used, and (at least in the past) show offenses that no longer show up in the official records.


What about stalkers?


Yes, people can look you up and threaten you and that has happened to me more than once now.

Criminals use it a lot which is increasingly a large problem due to the mass immigration that has sky-rocketed violent crimes in our country. They also use it to hijack peoples identity (haven't happened to me), since the social security number is available to everyone.


pffft

Amateurs

Russian citizens' personal data is sold online before government site gets hacked


That's true. In Russia databases of passport data sold on DVD on local markets long before government had any real online services.


If you take what bellingcat posts at face value, the amount of data about Russian citizens for sale is absolutely comical:

https://www.bellingcat.com/resources/2020/12/14/navalny-fsb-...


It's mostly not actual leaks though. Just result of countless government beuracrats working for $300 / month. Considering fact that some people going to die on frontlines for $3000 / month leaking bunch of data for $100 is no brainer.

To give an example. Since authoritarian regime like databases every hospital have to put data about every appointment or vaccination into regional online database. So every single doctor, technicial or their friend have names, national insurance ID, home adress and passport data for every single person who ever used medical services in that region.

And since every phone number at least supposed to be registered on passport data it's super easy to connect any other non-government data leaks to specific person.


Those are “actual leaks”…


How's that not an actual leak?

But I think you mean it's not a hack.


Yeah pardon. I meant that nobody leaked whole databases or massive datasets. It's still possible to leak personal data on specific people.


In Sweden you can just buy all that data legally because it's all public information.


All the citizens' personal data is public information? Medical records as well?


Same in China.


I think on the contrary Russians alone don't get hacked by Russians.

Russians get hacked by the Terman lab. NSA...CIA...NRLO i think...yeah those guys.


Be aware that the website(s) tied to this event has been down for quite a while and there are no concrete evidence that any of them have really worked. There were a few leaks back in the 2010s but nothing recently has come up (lots of claims, no real proof).


Probably not related but I found a weird search result with many Turkish sites.

Google search for "faegulas" results in many different .tr sites with personal data of USA people. The sites are all of the form

<8randomletters>.<4random>.(info|com|net|gen).tr

All seem to be blocked by Cloudflare though.

[edit -- could be fake, generated data. but why]


This is very weird. .com.tr and and .org.tr registrations in Turkey are heavily bureaucratised with proofs of actual trademark ownership required and humans involved. So it is unlikely that these 4 letter domains could be automatically registered. The clouflare block is also odd. Could this be a DNS attack on Google on non existing domains?


My guess is that they're all govt sites and used somehow in censorship or honey-trapping.


Join the party...

"Every Netherlands resident affected by data leak: watchdog" - https://nltimes.nl/2023/06/06/every-netherlands-resident-aff...

"Medical Data of 500,000 French Residents Leaked Online (2021)" - https://www.infosecurity-magazine.com/news/500k-french-medic...


The Netherlands headline is alarmist and the full facts are not in yet: they did not say "all residents' data had been leaked; the number affected estimated at is 2+ million (population 17.5m). [0] . The Dutch DPA did say they should use a different password everywhere, use secure login, request organizations to delete their data... "Citizens must assume that their personal data has already leaked or that this will happen at some point".

Meanwhile: back in May 2020 a Dutch hacker obtained virtually all Austrians' personal data (full name, gender, address, DOB), police say [1]

[0]: https://www.iamexpat.nl/expat-info/dutch-expat-news/millions...

[1]: https://www.reuters.com/world/europe/dutch-hacker-obtained-v...


These days you just have to assume every piece of personal data (and meta data about your online activity) eventually is made public.


but your bank still uses ut to confirm your udentity over the phone


It's not suprising. Turkish citizens' data is in the hands of 13 y.o kids since 2015.


This is unfortunately true. The "MERNIS" leak is freely available, containing some 49M citizens with their ID card numbers, addresses and a lot more.


I'm curious if leaks like this are used to validate directory style websites or if they purely function off of official public records requests and releases.

There's a special place in hell for people who leak PII.



Wasn't there a similar breach in India a few years ago?

There should be a clause that governments have to step down if breaches like that happen.

But until leaders, like Erdogan, themselves get doxxed and trolled, probably nothing will be done.


The prime minister of Singapore was the target of a breach against a healthcare provider in 2018 https://en.wikipedia.org/wiki/2018_SingHealth_data_breach


I can sell to you the Turkish president's address for a small price of $1000. PM for details.


I heard he lives in a giant palace!


I think you are aiming for accountability but making a government step down for data breach is unrealistic and has many unintentional consequences.

In security you can account for many factors except the human factor.

If there's sufficient incentive like automatically bringing down the government, you are painting a huge target on the hardware & software infrastructure for both internal(political rivals) and foreign entities(think governments with significantly more resources).

There will always be at least one weak human link that can be exploited and that's far less price compared to what was done historically to topple governments.


Good points! Thanks for bringing them up!


Or, you know, people could stop voting for authoritarian assholes who don't care if bad things happen to average people because that's not why they are in government anyway.


Is that old information? I’m sure I have a dump on most Turkish civilians from a few years back… it also includes data on Erdogan, his birth place and ID number.


The government has been silent on this so far, but I suspect the underlying story could be described as 'Byzantine'.


<groan>


This isn't the first time, it happened before sometime in 2015 I think?


Yep, I was able to find my family's records in that leak...


Website sorgupaneli.org down


I think there have been multiple leaks in the past, and this website is not the first either...


Why haven't the authorities moved in on the host of the site offering the data?


A lot of this stuff is readily available in the right Telegram groups.


This happened in the US as well many a time.


They never claimed the data…


great, thanks. I'm now famous.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: