All personal data, from ID numbers to home addresses, of 108 million citizens registered with official institutions were stolen. The stolen data included 82 million residential addresses and 134 million GSM numbers. BTK, which is responsible for protecting the data, admitted that it could not protect the data and asked Google for help.
ALİ SAFA KORKUT
The personal data of 108 million citizens registered with official institutions, including name, surname, TR ID number, family sequence number, individual sequence number, date of birth, place of birth; province, district and village where they were registered; marital status, date of death, residence address and mobile phone number, were stolen.
The hackers who stole the data collected it in five different Google Drive files named "Renewed ID", "Address", "GSM", "101m" and "GSM" (a second file).
Realizing that the data had been stolen, the National Cyber Incident Response Center (NCCRC) contacted Google and asked for help, saying, "We are obliged by law to protect citizens against all types of cyberattacks, including phishing attacks, compromise of user accounts and data leaks."
USOM, which operates under the Information and Communication Technologies Authority (ICTA), sent Google the links to the relevant Drive files with the statement "Accordingly, we would like to bring to your attention that some allegedly critical data has been successfully uploaded to your system" and asked for their "immediate" removal with the code "urgent".
108 million Turkish ID numbers, 82 million residential addresses, 134 million GSM numbers: The total size of the files is 42 GB
The total size of the five files is 42.18 GB, including data on all citizens, regardless of whether they are citizens of the Republic of Turkey or not, who are registered with any official authority in Turkey.
The stolen data included the Turkish ID numbers of 108 million 571 thousand 832 people, the residential addresses of 82 million 322 thousand 190 people and 134 million 817 thousand 279 cell phone numbers.
The format of the files containing the personal data of millions of people is not XLS (Microsoft Excel) or CSV, the first preferred format for data recording. Due to the large size of the files, the hackers who stole the data saved them in MYD and MYI formats of MySQL, a database management system.
MySQL is one of the database management programs that can handle such large data sets. This and similar programs have the capacity to send hundreds of thousands of requests to the database at the same time, so those who want to process this data use such programs.
BTK to Google: "We request your cooperation"
"Kindly asking" Google to cooperate, USOM also requested the user account IDs, IP addresses and port numbers of the person or persons who uploaded the relevant files to Drive.
"Your prompt response in this matter is critical to protecting the integrity and security of affected users," USOM said in two separate letters to the company, dated July 29 and September 3.
MLSA had filed a criminal complaint
Free Web Turkey had also revealed the theft of personal data in 2023 and filed a lawsuit against the Ministry of Interior. After the lawsuit was rejected, the MLSA Legal Unit took the case to the Constitutional Court, arguing that the administration's negligence in protecting the data violated the right to privacy, freedom of expression and the right to a fair trial. According to MLSA, the open publication of personal data poses a grave threat to the millions of people whose information is disclosed.