In a week that has already seen one of the biggest data leaks ever in the form of the Panama Papers – an exposé of offshore tax haven activity of the global elite, another vast data leak has appeared online that claims to host the private information of 49,611,709 Turkish citizens.
The 6.6GB database was offered for download via P2P from a Finnish IP address, containing the first and last names, national identifier numbers (TC Kimlik No), the user's mother and father's first names, gender, city of birth, date of birth, full address, and ID registration city and district.
If the authenticity of the leak is verified, it would mean it's the largest ever leak of personal data, affecting two-thirds of the population – even bigger than 2015's leak of over 22 million US federal employees from the U.S. government's Office of Personnel Management.
The breach was apparently politically motivated and aimed at controversial Turkish President Recap Tayyip Erdogan, as it included text under the heading 'Lessons for Turkey' reading: 'Do something about Erdogan. He is destroying your country beyond recognition.'
The poster said: 'Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?'
'Bit shifting isn't encryption,' they added, referring to the fact that the data was improperly encrypted.
The source of the data is currently unknown, but experts say it could be from a public administration agency that deals with user information. There is a possibility that some of it could have been recycled from an earlier 2009 breach.
This newly reported breach comes hot on the heels of a plethora of other data breaches, including a much larger dump of data pilfered by hacktivists in February, from the Turkish national police database, and 18 months after a similar cyber-heist in South Korea.
'This is yet another stark reminder that personal data is always a desirable target for cyber criminals, and now hacktivists,' said Robert Capps, VP of Business Development at NuData Security. 'No matter how diligent an organisation is in its' efforts to protect personal data, the data is still getting out there.'
While it appears that Turkey’s controversial president, Recep Tayyip Erdogan, was the instigation for this breach – the real collateral damage will be to the millions of Turkish citizens who have had their identity compromised.
'With the level of information released in the recent Turkish breach, criminals have solid profiles on individuals that can be used to create new bank accounts, access existing accounts, or acquire false government issued identification documents in order to perpetuate all manners of maleficence, including financial crimes and terrorism,' said Capps.
'As the amount of stolen personal data continues to skyrocket, traditional authentication techniques such as static usernames and passwords, and other fact based authentication, will become far less effective. Having the correct credentials is simply one part of the equation, but in today’s world, being able to truly verify that it’s the correct human on the other side of the machine is the holy grail.'
'Clearly, the data is out there in the hands of cyber criminals, with more data joining it every day. How we address the usefulness of this data, will greatly shape the quantity and scale of future data breaches, and related identity crimes to come.'