e-Devlet (e-Government Gateway) data breach

Beginning in June 2023, the personal records of an estimated 85 million Turkish citizens and residents — effectively the country's entire population — were found being sold online after being harvested from e-Devlet, Turkey's central e-Government Gateway.

What happened

e-Devlet is the single sign-on portal through which Turks access thousands of public services: tax records, health data, property and vehicle registration, education credentials, and judicial records. Reporting that surfaced on 9 June 2023 revealed that a site called sorgupaneli.org was offering Turkish citizens' private data in exchange for a free membership signup, with "premium" tiers promising more sensitive fields. The operators boasted they could supply the records of high-profile figures, including President Recep Tayyip Erdoğan, opposition leader Kemal Kılıçdaroğlu, and former president Abdullah Gül.

The exposed fields went far beyond static identity data. They included national ID numbers, phone numbers, home addresses, family-member links, education and health records, banking credentials, tax status, and property details — and, critically, the data was being updated in near real time, indicating ongoing unauthorized access to live government systems rather than a one-time dump.

Impact

An estimated 85 million people exposed — described in reporting as the most extensive data breach in Turkish history.
Because the data was continuously refreshed, victims could not "age out" of the exposure; queries returned current addresses and phone numbers.
A thriving data-brokering ecosystem emerged, with records sold for as little as 100 Turkish lira through panel websites and Telegram groups.

Official response

For more than a year, Turkish authorities denied or stayed silent on the breach. The turning point came on 12 September 2024, when Transport and Infrastructure Minister Abdulkadir Uraloğlu became the first senior official to publicly confirm that citizens' data had been stolen from e-Devlet during the COVID-19 pandemic, contradicting earlier government reassurances.

Why it matters

The e-Devlet breach showed how a centralized digital-government platform becomes a single point of catastrophic failure. Unlike the 2016 MERNIS leak, which was a static snapshot, e-Devlet's data was live and self-refreshing, turning the breach into a persistent surveillance and fraud utility. The episode — official denial followed by belated confirmation, with no remediation for citizens — became a defining argument in Turkey's debate over data-protection enforcement and a 2025 cybersecurity law criticized as a censorship tool.

Timeline

June 9, 2023

Reports emerge that a website, sorgupaneli.org, is selling personal data harvested from Turkey's e-Devlet portal, claiming to cover citizens including President Erdoğan.

June 1, 2023

Digital-rights scholar Yaman Akdeniz calls for an immediate investigation; authorities initially stay silent or deny a breach.

March 8, 2024

Follow-up reporting confirms Turkish citizens' data is still being harvested and sold via panel sites and Telegram, updated in near real time.

August 21, 2024

Investigations document data being offered for as little as 100 Turkish lira, with the dataset estimated at 85 million people.

September 12, 2024

Transport and Infrastructure Minister Abdulkadir Uraloğlu becomes the first senior official to confirm citizens' data was stolen from e-Devlet during the pandemic.

Sources

balkaninsight.comhttps://balkaninsight.com/2023/06/09/turkish-citizens-personal-data-offered-online-after-govt-site-hacked/bi/

balkaninsight.comhttps://balkaninsight.com/2024/09/12/turkish-minister-confirms-e-govt-system-was-hacked-in-pandemic/

balkaninsight.comhttps://balkaninsight.com/2024/03/08/turkish-citizens-data-harvested-from-govt-portal-being-sold-report/

globalvoices.orghttps://globalvoices.org/2024/08/21/100-tl-for-your-data-how-turkish-citizens-lost-all-expectations-of-data-security-and-privacy/

one2call.nethttps://one2call.net/blog/details-of-85-million-people-leaked-turkish-government-site-hacked

Related incidents

Data breachResolvedJuly 19, 2016

AKP Emails data breach (2016)

In July 2016, a hacker known as Phineas Fisher hacked Turkey's ruling party (Justice and Development Party or "AKP") and gained access to 300k emails. The full contents of the emails were subsequently published by WikiLeaks and made searchable.

Victim: AKP Emails
Records: 917.5K

Data breachunresolvedApril 4, 2016

Turkish citizenship database (MERNIS) leak

A 6.6 GB database containing the national ID numbers, full names, parents' names, addresses, and dates of birth of 49.6 million Turkish citizens was dumped in cleartext online, exposing nearly the entire adult population.

Victim: Republic of Turkey — MERNIS / Civil Registration
Records: 49.6M

Data breachResolvedApril 2, 2023

9Near Thailand 55-million citizen data extortion

A hacker using the alias '9Near' threatened to leak the personal data of 55 million Thais, allegedly sourced via the government's Mor Prom health app; an army sergeant was later identified and surrendered.

Victim: Thai citizens (data linked to Mor Prom health platform)
Records: 55.0M

Data breachResolvedFebruary 1, 2023

Convex data breach (2023)

In February 2023, the Russian telecommunications provider Convex was hacked by "Anonymous" who subsequently released 128GB of data publicly, alleging it revealed illegal government surveillance. The leaked data contained 150k unique email, IP and physical addresses, names and phone numbers.

Victim: Convex
Records: 150.1K