Compromising 54 Million IDs: The Shortcomings Of Turkish Cybersecurity

By   ISBuzz Team
Writer , Information Security Buzz | Jan 02, 2014 03:03 am PST

ISTANBUL—Last week, Russian activists seized the IDs of 54 million Turkish citizens, raising already heightened concerns about Ankara’s ability to protect the public’s private data. The information stolen included voters’ addresses and ID numbers.  It is unknown who exactly perpetrated the attacks.

That such a massive hack could be conducted in the first place reveals major shortcomings in Turkey’s cyber policy, particularly in regards to statewide privacy laws.

The attacks stoked the fires of a public already outraged by leaks which earlier this month revealed that the Turkish National Intelligence Organization (MİT) had profiled citizens based upon their religious and ideological identities and then shared their findings with government agencies.

Taraf, a liberal newspaper based out of Istanbul, published a series of documents exposing the leak.  Those documents present the view that persons of religious and faith-based groups were the primary targets, with public tenders and government employment the main issues at stake.

But the violation of private data is even worse than it seems.

In a report entitled “The National and International Situation Assessment over the Protection of Personal Data,” the State Audit Board of Turkey (DKK) presented its findings of an audit it conducted investigating the privacy protection procedures of a number of government agencies, including the Justice and Health Ministries.

What it found was deeply troubling.  Among other things, the report revealed that Turkish government agencies are not the actual proprietors of their information.  On the contrary, they collaborate with contractor companies that have access to citizens’ private information without hardly any restrictions.  This information is then entirely subject to the privacy measures of these companies—not the Turkish government.

That is not to say that the Turkish government would be any more responsible with its citizens’ private data, however.  Specifically, the DKK’s report reveals that many government employees copy and share sensitive information with one another via CDs, DVDs, and USBs, notwithstanding rules prohibiting out-of-network info sharing.

Obviously, the hacking of 54 million Turkish users’ information has grabbed the attention of Ankara.  But what is to be done?

Most fundamentally, this incident reveals the country’s inadequate cyber security measures, its lack of an information sharing structure between the public and private sector, and the absence of safeguards designed to protect values associated with Internet freedom, such as privacy.

Irrespective of whether Turkey is able to punish the Russian activists responsible for this hack, it would be wise for Ankara to enact laws that can protect people’s privacy online and to create an information sharing strategy that can be implemented across government-wide.  These measures can, in the long-term, prevent similar attacks from happening.

Dave BissonDavid Bisson | @DMBisson

Bio: David is currently a senior at Bard College, where he is studying Political Studies and writing his senior thesis on cyberwar and cross-domain escalation.  He also works at the Hannah Arendt Center for Politics and Humanities at Bard College as an Outreach intern.  Post-graduation, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy.