[HN Gopher] Turkish citizens' personal data offered online after...
___________________________________________________________________
Turkish citizens' personal data offered online after government
site hacked
Author : giuliomagnifico
Score : 308 points
Date : 2023-06-09 17:51 UTC (1 days ago)
(HTM) web link (balkaninsight.com)
(TXT) w3m dump (balkaninsight.com)
| xwdv wrote:
| A lot of this stuff is readily available in the right Telegram
| groups.
| kodah wrote:
| I'm curious if leaks like this are used to validate directory
| style websites or if they purely function off of official public
| records requests and releases.
|
| There's a special place in hell for people who leak PII.
| greentext wrote:
| Sometimes for research purposes
|
| https://en.wikipedia.org/wiki/AOL_search_log_release
| hashworks wrote:
| This isn't the first time, it happened before sometime in 2015 I
| think?
| melvinmelih wrote:
| Yep, I was able to find my family's records in that leak...
| chalcolithic wrote:
| pffft
|
| Amateurs
|
| Russian citizens' personal data is sold online before government
| site gets hacked
| [deleted]
| [deleted]
| SXX wrote:
| That's true. In Russia databases of passport data sold on DVD
| on local markets long before government had any real online
| services.
| morkalork wrote:
| If you take what bellingcat posts at face value, the amount
| of data about Russian citizens for sale is absolutely
| comical:
|
| https://www.bellingcat.com/resources/2020/12/14/navalny-
| fsb-...
| SXX wrote:
| It's mostly not actual leaks though. Just result of
| countless government beuracrats working for $300 / month.
| Considering fact that some people going to die on
| frontlines for $3000 / month leaking bunch of data for $100
| is no brainer.
|
| To give an example. Since authoritarian regime like
| databases every hospital have to put data about every
| appointment or vaccination into regional online database.
| So every single doctor, technicial or their friend have
| names, national insurance ID, home adress and passport data
| for every single person who ever used medical services in
| that region.
|
| And since every phone number at least supposed to be
| registered on passport data it's super easy to connect any
| other non-government data leaks to specific person.
| solumunus wrote:
| Those are "actual leaks"...
| wkat4242 wrote:
| How's that not an actual leak?
|
| But I think you mean it's not a hack.
| SXX wrote:
| Yeah pardon. I meant that nobody leaked whole databases
| or massive datasets. It's still possible to leak personal
| data on specific people.
| contingencies wrote:
| Same in China.
| daniel-cussen wrote:
| I think on the contrary Russians alone don't get hacked by
| Russians.
|
| Russians get hacked by the Terman lab. NSA...CIA...NRLO i
| think...yeah those guys.
| kryptiskt wrote:
| In Sweden you can just buy all that data legally because it's
| all public information.
| UberFly wrote:
| All the citizens' personal data is public information?
| Medical records as well?
| erenkaplan wrote:
| They never claimed the data...
| boringuser2 wrote:
| This happened in the US as well many a time.
| data_maan wrote:
| Wasn't there a similar breach in India a few years ago?
|
| There should be a clause that governments have to step down if
| breaches like that happen.
|
| But until leaders, like Erdogan, themselves get doxxed and
| trolled, probably nothing will be done.
| mediumdeviation wrote:
| The prime minister of Singapore was the target of a breach
| against a healthcare provider in 2018
| https://en.wikipedia.org/wiki/2018_SingHealth_data_breach
| mrguyorama wrote:
| Or, you know, people could stop voting for authoritarian
| assholes who don't care if bad things happen to average people
| because that's not why they are in government anyway.
| devsda wrote:
| I think you are aiming for accountability but making a
| government step down for data breach is unrealistic and has
| many unintentional consequences.
|
| In security you can account for many factors except the human
| factor.
|
| If there's sufficient incentive like automatically bringing
| down the government, you are painting a huge target on the
| hardware & software infrastructure for both internal(political
| rivals) and foreign entities(think governments with
| significantly more resources).
|
| There will always be at least one weak human link that can be
| exploited and that's far less price compared to what was done
| historically to topple governments.
| orhmeh09 wrote:
| I can sell to you the Turkish president's address for a small
| price of $1000. PM for details.
| boeingUH60 wrote:
| I heard he lives in a giant palace!
| mrtksn wrote:
| Turkey's govt actually has quite a robust IT infrastructure and
| the Turkish citizens can do pretty much anything through the
| turkiye.gov.tr portal. It's really useful, you can even cancel
| subscriptions to services and utilities from there. You can book
| appointments for documents services or hospitals, see all your
| medical history or even heritage records.
|
| These leaks keep appearing since many years but their origin is
| not necessarily a hack of the government infrastructure. The
| leaks usually occur at election cycles because the address based
| electorate data is handled and processed by the political
| parties(which are not exactly IT elites) and gets stolen or
| leaked.
|
| Then there were high profile hacks of large food delivery
| services or other e-trade platforms.
|
| All this resulted in people collecting and merging data from
| multiple leaks and re-selling those.
|
| Edit: At some point, all the lawyers were using this data to
| track down people relevant to their court cases. They were
| selling it in CD format back then. Scammers and other criminals
| probably use this data too.
| RadixDLT wrote:
| "You can book appointments for documents services or hospitals,
| see all your medical history or even heritage records"
|
| you must be crazy if you think this is a good idea
| mrtksn wrote:
| It's very convenient, one of the perks of a totalitarian
| government with sound IT infrastructure.
| can16358p wrote:
| I agree that it's very convenient and I use it myself too:
| much better than going into crowded offices with bureocracy
| etc.
|
| On the other hand, in case of a breach/hack, it becomes a
| serious problem.
| finnx wrote:
| Turkey has an universal healthcare system, government has to
| have all that info anyways. You have option to hide specific
| items from your medical history so not even your doctors can
| see them. Every access to your records by your doctors are
| also logged and reported.
| aydgn wrote:
| why do you think it is a bad idea?
| hachiroku wrote:
| [dead]
| mghfreud wrote:
| Do the data shared with political parties contain real estate
| deeds?
| mrtksn wrote:
| I'm not sure what exactly it contains but all those leaks
| contain Name, Address and your national identity
| number(something like social security number). It must also
| contain the birthplace and date because the last elections
| there was question over how many refugees got citizenship and
| the opposition said they checked the birthplaces and the
| number is not too high.
|
| BTW, this data is available for the citizens too during the
| election cycle so you can check who lives in the same
| building with you and correct any mistakes. The list of the
| electorate is also attached at the polls so anyone can check
| for something fishy.
|
| Then in Turkey there's this obsession with companies about
| collecting as much as info possible about you, so when the
| food delivery service is hacked the hackers now can easily
| add your phone number, update your current address by
| matching your national identity number because for some
| reason they need to have that info to deliver some kebab.
|
| Also, this national identity number is generated through some
| algorithm which gives away your relatives and thanks to this,
| the hackers can also build your social graph from the leaks.
| Here is a repo about that algo:
| https://github.com/kerematam/akrabatcno
|
| AFAIK it's used in "your grandson had an accident and needs
| emergency surgery, send this much money ASAP" scams.
| pmontra wrote:
| > this data is available for the citizens too during the
| election cycle so you can check who lives in the same
| building with you and correct any mistakes.
|
| Why are they crowdsourcing a task that is a basic
| bureaucratic process in any state?
|
| I mean, is Turkey a state that doesn't know who its
| citizens are and where they live?
| mrtksn wrote:
| It's primary function is to prevent election fraud. In
| Turkey, elections are a serious business with
| participation rate above 85% and people are meticulous
| about the process.
|
| Also, in Turkey the address registration is self
| declaration based and the government doesn't actually
| check if you live there. So theoretically, it can be
| possible for a political party to arrange it's voters
| distribution in such a way that it is advantageous for
| them. The idea is that citizens should be able to check
| against such things.
| pmontra wrote:
| I'm from Italy. When I change the place where I live I
| declare the new address and before they update my data an
| officer comes and checks that I really live there. They
| can get in and check that's not an empty house and I'm
| only pretending to live there, if they want to. The check
| is usually nothing more than peeking through the door
| though.
|
| It seems an easy task to perform.
| [deleted]
| mrtksn wrote:
| Wow that's creepy even for me, who lived for many years
| in Turkey. In Turkey, the only check is a reference from
| someone who is already registered in that address. All
| this can be done online, you declare your new address
| from turkiye.gov.tr and someone who's registered in that
| address can approve your declaration.
|
| Do you know that in UK they don't even have such a
| registry? The government doesn't know where you live(at
| least officially) and when you need to apply for
| something that requires proof of address they would use
| bank statements on your name sent by mail to that
| address.
|
| I wonder how do you feel about it? Do you think that the
| Italian approach is better? Why would the government has
| to know where you live for sure? Is it to prevent benefit
| frauds?
| pmontra wrote:
| No idea, it's been like that since forever AFAIK. At
| least it solves a lot of problems (you just show your
| photo id) and basically everybody you have a contract
| with would know that information anyway, utilities,
| banks, etc.
|
| Edit: there is a difference between the place you live
| and the place you are registered into. Example: a student
| is registered at parents' home and goes to study at a
| university in another city. He rents a room there. He has
| a contract there and the landlord must notify that the
| student lives there (since the terrorism laws in the 70s)
| but the student is still registered and votes at the city
| of his parents unless he registers at the other city.
|
| This is common also for workers. Maybe they live for
| years in a city (and the state knows) but they are still
| registered on their home one.
| aarong11 wrote:
| In the UK we have the electoral register. In order to
| vote, you need to be registered to it. The government
| most definitely does use it, as do credit scoring
| agencies and identitity verification services.
|
| A lot of places do accept bank statements as a backup if
| you are not on the electoral roll.
| rafram wrote:
| That sounds wildly inefficient.
| ClumsyPilot wrote:
| > update your current address by matching your national
| identity number because for some reason they need to have
| that info to deliver some kebab
|
| Publuc wifi at O2/millenium dome in london us almost as
| bad.
|
| We really need to make extraneous data a liability and a
| risk burdain to business.
| jacquesm wrote:
| In the EU this is already the case. You are only allowed
| to collect what you need for a specific purpose.
| paganel wrote:
| > AFAIK it's used in "your grandson had an accident and
| needs emergency surgery, send this much money ASAP" scams.
|
| Sad to hear that that scam is also used in Turkey, some
| very low and despicable people also use it here, in
| Romania, targeting elderly people, and it's really vile. I
| explicitly warned my parents not to fall for it in case
| someone calls them.
| terminalcommand wrote:
| They claim they have land registry records as well. Those are
| not part of the election database that was leaked eons ago.
|
| Your comment is not accurate.
| mrtksn wrote:
| They claim things but the screenshots I've seen did not have
| any of those.
|
| check this: https://eksisozluk1923.com/img/bei0vtuj
|
| It's the usual stuff: id number, name, birthday, address,
| phone.
|
| Then they have the "relatives", which is deductible from the
| id number.
|
| Then you have some promotional materials advertising the sale
| of additional data but I have not seen anyone confirming it.
| dizhn wrote:
| It is a bit premature to declare this leak "more of the same"
| because I am hearing people's medical records are out in this
| one. That would point to a new, probably wider leak.
| mrtksn wrote:
| That would be interesting, any links to reports about wider
| than the "usual" leaks?
| terminalcommand wrote:
| Please read the article linked, they claim they have land
| registry records as well :/.
| mrtksn wrote:
| They claim things but the sources are not of good
| quality. The screenshots I've seen were the usual data:
| Name, address and phone number.
| dizhn wrote:
| That might be because some interface(s) are supposed to
| show something like demo data when you enter an ID
| number. They want a membership for more. But this is
| speculation. I am sure we'll find out in a few days when
| it's already forgotten.
| dizhn wrote:
| A few anectodal things from eksisozluk claiming people were
| able to look up the medicines they are taking. Nothing
| conclusive and I didn't really have the chance to do a deep
| dive with my current bandwith. The files are supposed to be
| around 64GB.
| mrtksn wrote:
| Do you have a link to the files? I want to check this
| out.
| dizhn wrote:
| Sorry no. I have to find it too. I can't do anything
| right now because I am on metered 4G.
| jimmygrapes wrote:
| Every time I try to search for a phone number (Bing/ddg) I get
| pages and pages of clearly auto generated fake names associated
| with numbers, all hosted on that same Turkish government
| portal. I don't know why.
| mrtksn wrote:
| Interesting, Are you sure it's turkiye.gov.tr?
| jimmygrapes wrote:
| Not entirely sure, no. Happens on work PC using Chrome
| (with uBlock Origin and most lists activatsd), but not at
| all on phone using Firefox, despite identical searches just
| tested now. I don't know enough about how this works to say
| much more.
| mysterypie wrote:
| Does anyone know the purpose served by those reverse phone
| number search sites that list hundreds of thousands of fake
| names and fake addresses?
| mrtksn wrote:
| The purpose is to serve ads and make money. They can do
| that because people will search for unknown numbers and
| names.
| mysterypie wrote:
| When these fake name/number sites first appeared about
| 5-8 years ago, they didn't have any ads or even outgoing
| links. (I looked without an ad blocker.) Ads might be the
| explanation for many of them _today_ , but I don't think
| it's the original or sole reason. Though I suppose it may
| have begun as a proof of concept without ads to gauge the
| traffic, then ads got added years later.
|
| I've read speculation that they were started by telephone
| spammers to poison the utility of those who-called-me
| websites that highlighted spammers' phone numbers. I
| don't think that's the real reason either. It sounds too
| cute and clever for spammers. (As an aside: nowadays
| those services are useless since spammers can so easily
| fake the caller-ID.)
|
| I'm still thinking that there is an interesting story for
| the original purpose.
| emmelaich wrote:
| I get similar -- see my comment. But never gov.tr
| hakanderyal wrote:
| These are not on a goverment site, just the usual SEO spam.
| emmelaich wrote:
| Probably not related but I found a weird search result with many
| Turkish sites.
|
| Google search for "faegulas" results in many different .tr sites
| with personal data of USA people. The sites are all of the form
|
| <8randomletters>.<4random>.(info|com|net|gen).tr
|
| All seem to be blocked by Cloudflare though.
|
| [edit -- could be fake, generated data. but why]
| postexitus wrote:
| This is very weird. .com.tr and and .org.tr registrations in
| Turkey are heavily bureaucratised with proofs of actual
| trademark ownership required and humans involved. So it is
| unlikely that these 4 letter domains could be automatically
| registered. The clouflare block is also odd. Could this be a
| DNS attack on Google on non existing domains?
| emmelaich wrote:
| My guess is that they're all govt sites and used somehow in
| censorship or honey-trapping.
| [deleted]
| activiation wrote:
| Website sorgupaneli.org down
| phantom32 wrote:
| I think there have been multiple leaks in the past, and this
| website is not the first either...
| lr4444lr wrote:
| Why haven't the authorities moved in on the host of the site
| offering the data?
| 3327 wrote:
| [dead]
| 19h wrote:
| Is that old information? I'm sure I have a dump on most Turkish
| civilians from a few years back... it also includes data on
| Erdogan, his birth place and ID number.
| treesciencebot wrote:
| Be aware that the website(s) tied to this event has been down for
| quite a while and there are no concrete evidence that any of them
| have really worked. There were a few leaks back in the 2010s but
| nothing recently has come up (lots of claims, no real proof).
| commitpizza wrote:
| My country publishes everyones data which then is offered by a
| number of services: https://mrkoll.se as an example.
|
| I wrote a blog article about it:
| https://commit.pizza/2022/10/16/the-only-way-of-being-anonym...
| davnn wrote:
| Do you see any negative aspects in day to day life since the
| data is published?
| lancebeet wrote:
| An aspect of this that some people find problematic is that
| many employers use these services to do background checks on
| individuals before hiring. Background checks are of course
| customary for some positions, in which case official police
| records will be retrieved with the candidate's knowledge or
| consent. For positions where background checks haven't
| historically been customary, these services will often be
| used instead, since they are much faster and cheaper in terms
| of administration, don't require consent and don't notify the
| candidate that they have been used, and (at least in the
| past) show offenses that no longer show up in the official
| records.
| hackernewds wrote:
| What about stalkers?
| RajT88 wrote:
| The government has been silent on this so far, but I suspect the
| underlying story could be described as 'Byzantine'.
| denton-scratch wrote:
| <groan>
| belter wrote:
| Join the party...
|
| "Every Netherlands resident affected by data leak: watchdog" -
| https://nltimes.nl/2023/06/06/every-netherlands-resident-aff...
|
| "Medical Data of 500,000 French Residents Leaked Online (2021)" -
| https://www.infosecurity-magazine.com/news/500k-french-medic...
| namaria wrote:
| These days you just have to assume every piece of personal data
| (and meta data about your online activity) eventually is made
| public.
| ClumsyPilot wrote:
| but your bank still uses ut to confirm your udentity over the
| phone
| smcin wrote:
| The Netherlands headline is alarmist and the full facts are not
| in yet: they did _not_ say "all residents' data had been
| leaked; the number affected estimated at is 2+ million
| (population 17.5m). [0] . The Dutch DPA did say they should use
| a different password everywhere, use secure login, request
| organizations to delete their data... _" Citizens must assume
| that their personal data has already leaked or that this will
| happen at some point"_.
|
| Meanwhile: back in May 2020 a Dutch hacker obtained virtually
| all Austrians' personal data (full name, gender, address, DOB),
| police say [1]
|
| [0]: https://www.iamexpat.nl/expat-info/dutch-expat-
| news/millions...
|
| [1]: https://www.reuters.com/world/europe/dutch-hacker-
| obtained-v...
| m00dy wrote:
| great, thanks. I'm now famous.
| T3RMINATED wrote:
| [dead]
| usdogu wrote:
| It's not suprising. Turkish citizens' data is in the hands of 13
| y.o kids since 2015.
| x7ci wrote:
| This is unfortunately true. The "MERNIS" leak is freely
| available, containing some 49M citizens with their ID card
| numbers, addresses and a lot more.
___________________________________________________________________
(page generated 2023-06-10 23:03 UTC)