The Turkish MERNIS citizenship database has been made available for download via online Torrent file sharing services in an unprecedented leak of confidential information. The leak reveals sensitive personal details of almost five million voting-age citizens from the Turkey’s Central Civil Registration System.
Government and local media have not issued comprehensive advice at the time of writing – so the D8 News data journalism team stepped in to examine the scope of the leak, providing guidance and mitigations for citizens.
Despite unverified mainstream media reports referencing a new hack, our team correlated the data and established that the leak almost certainly originated from a physical theft from the MERNIS system reported in 2010.
Despite the age of the theft, it is only in early 2016 that the data is known to have become freely and readily available online via Peer-to-Peer Torrent downloads in a file format that is straightforward to consume, permitting SQL queries and metadata analysis.
MERNIS Leak 2016: Impact Report for Turkish Citizens
- The leaked MERNIS database dump covers Turkish citizens with residency in Turkey born before early 1991 (editor’s note: this article originally stated 9/9/1990 which was slightly off)
- The database takes around 10 minutes to download from the internet, and 1 hour to load into the Open Source PostgreSQL database system.
- After loading, queries are instant. Lookups can be made by TCK National ID number, name, birth date, parents’ first names, registered birthplace or home address.
- Deeper relationships can be inferred algorithmically from parent names and National Identity (TCK) sequence numbers, permitting extraction of family trees or other implicit relation types.
- The data can be cross-correlated with other leaks and public data archives, for example to look up tax debts or court orders for any citizen.
- The government has not yet responded to patch or disable services that can now be mined for information by anyone who downloads the database.
- Turkish citizens with foreign residency at the time of the leak are mostly not impacted.
- Foreign citizens with Turkish residency at the time of the leak are not impacted given that all records carry a TCK ID number.
- There is likely no hack; the data was stolen in a 2010 theft (see above) but only uploaded to peer-to-peer Torrent download sites recently
MERNIS has become the backbone of the e-Government infrastructure in Turkey. Currently, the MERNIS database houses more than 130 million personal data files and (as of January 2009) more than 2000 public bodies are using the up-to-date data from the MERNIS database.
Evaluation of scale of leak and number of citizens affected
Given that the youngest citizens listed in the dump were born no later than 1990, we can check the 1990 population of Turkey to see that the personal details of all, or nearly all citizens aged 18 in 2010 are now likely out in the open (some variation in numbers may be due to non-citizen residents and deaths).
Recommendations
Vigilance is advised. Heightened awareness recommended in relation to:
- Identity theft, particularly relating to online banking and online government services.
- Personal safety, relating to personal addresses, contact details
- Privacy and confidentiality surrounding family ties, divorces, siblings and extended family
Business owners and government organisations working with public data should be aware that authentication or authorisation using TCK numbers, parent names, and birth date are no longer viable, regardless of means of communication (online, telephone, in person).
