The personal and financial details of roughly 85 million people, the entire population of Turkey, was added to a website where visitors can search by name or other terms to quickly locate what they’re after.
The website, named “Sorgu Paneli,” which translates to “Inquiry Panel,” offers registered users access to full names, physical addresses, phone numbers, and financial information (IBAN and bank info, title deed info, etc.). However, the latter is reserved for paying members who are given access to the “VIP” panel. Access to this data puts people in danger of phishing, social engineering, bank fraud, identity theft, and more.
Although the website currently displays a “we will be back” message on its homepage, likely due to being overwhelmed by traffic requests, the same database query service is working normally on Telegram and Discord, where people report being able to access anyone’s data. At the time of writing, the registered members on the platform’s Telegram channel have surpassed five thousand.
The discovery of this illegal data-selling service comes from FreeWebTurkey, an internet access, censorship, and data protection observatory that has confirmed the validity of data samples and claims that it appears to be the product of a breach of the country’s e-government system. This is an online services portal where all people residing in the country are obliged to maintain an account.
In response to the situation, Turkey’s Media and Legal Studies Association (MLSA) has announced plans to submit a lawsuit against the Ministry of Internal Affairs, which is responsible for safeguarding people’s data, and obviously failed at that. MLSA’s director stated that compensation would be pursued, and urged affected individuals the file criminal complaints to the authorities.
Regarding the perpetrators, their identity, origin, and time of attack remain unknown, but it has been determined that the website has been online since June 3, 2023, and is registered in Northern Cyprus. It is possible that the leaked data was stolen during an attack that unfolded in April 2022, when hackers claimed to have breached Turkey’s e-government infrastructure. However, a statement by the President’s Digital Transformation Office at the time disputed these claims saying that its IT experts had found no signs of a data leak.
Unfortunately, the leaked data mainly contains information that is impossible to change or reset, so the only way to deal with the situation for exposed individuals would be to maintain a high-alert on all communications and quickly report suspicious messages, account activity, or phishing attempts to the concerned financial institutions, data protection, and law enforcement authorities.