The Turkish MERNIS citizenship database has been made available for download via online Torrent file sharing services in an unprecedented leak of confidential information. The leak reveals sensitive personal details of almost five million voting-age citizens from the Turkey’s Central Civil Registration System.

Government and local media have not issued comprehensive advice at the time of writing – so the D8 News data journalism team stepped in to examine the scope of the leak, providing guidance and mitigations for citizens.

Despite unverified mainstream media reports referencing a new hack, our team correlated the data and established that the leak almost certainly originated from a physical theft from the MERNIS system reported in 2010.

Despite the age of the theft, it is only in early 2016 that the data is known to have become freely and readily available online via Peer-to-Peer Torrent downloads in a file format that is straightforward to consume, permitting SQL queries and metadata analysis.

MERNIS Leak 2016: Impact Report for Turkish Citizens

  • The leaked MERNIS database dump covers Turkish citizens with residency in Turkey born before early 1991 (editor’s note: this article originally stated 9/9/1990 which was slightly off)
  • The database takes around 10 minutes to download from the internet, and 1 hour to load into the Open Source PostgreSQL database system.
  • After loading, queries are instant. Lookups can be made by TCK National ID number, name, birth date, parents’ first names, registered birthplace or home address.
  • Deeper relationships can be inferred algorithmically from parent names and National Identity (TCK) sequence numbers, permitting extraction of family trees or other implicit relation types.
  • The data can be cross-correlated with other leaks and public data archives, for example to look up tax debts or court orders for any citizen.
  • The government has not yet responded to patch or disable services that can now be mined for information by anyone who downloads the database.
  • Turkish citizens with foreign residency at the time of the leak are mostly not impacted.
  • Foreign citizens with Turkish residency at the time of the leak are not impacted given that all records carry a TCK ID number.
  • There is likely no hack; the data was stolen in a 2010 theft (see above) but only uploaded to peer-to-peer Torrent download sites recently
What is MERNIS?How does MERNIS work?How did the system evolve?
Turkey's Ministry of Interior operates the system
Turkey’s Ministry of Interior operates the system

MERNIS has become the backbone of the e-Government infrastructure in Turkey. Currently, the MERNIS database houses more than 130 million personal data files and (as of January 2009) more than 2000 public bodies are using the up-to-date data from the MERNIS database.

MERNIS is a centrally administered system where any changes in civil status are registered electronically in real time over a secure network by the 966 civil registration offices spread throughout the country. The information kept in the central database is shared with the public and private agencies for administrative purposes.
In 1934, last names were granted to each family and individual, abolishing the practice of appellations. It was not until 1972, however, when the introduction of Law No 1543 and its successor Law No 1587 paved the way for the modernisation of the civil registration system in Turkey.

Evaluation of scale of leak and number of citizens affected

Turkey 1990 population
Turkey 1990 population

Given that the youngest citizens listed in the dump were born no later than 1990, we can check the 1990 population of Turkey to see that the personal details of all, or nearly all citizens aged 18 in 2010 are now likely out in the open (some variation in numbers may be due to non-citizen residents and deaths).


Vigilance is advised. Heightened awareness recommended in relation to:

  1. Identity theft, particularly relating to online banking and online government services.
  2. Personal safety, relating to personal addresses, contact details
  3. Privacy and confidentiality surrounding family ties, divorces, siblings and extended family

Business owners and government organisations working with public data should be aware that authentication or authorisation using TCK numbers, parent names, and birth date are no longer viable, regardless of means of communication (online, telephone, in person).