Turkish citizenship database (MERNIS) leak

In April 2016, a 6.6 GB database containing the personal records of 49,611,709 Turkish citizens was dumped in cleartext on a website hosted outside Turkey — an exposure covering nearly the entire adult population of the country and one of the largest national-ID leaks in history.

What happened

The leaked file was a PostgreSQL dump drawn from MERNIS (Merkezi Nüfus İdare Sistemi), Turkey's Central Civil Registration System maintained by the Ministry of Interior. The records corresponded to citizens eligible to vote in the 2009 local elections. Each row contained a TC Kimlik No (national identity number), first and last name, mother's and father's names, gender, city of birth, date of birth, the city and district of ID registration, and a full residential address.

The dump was distributed via torrent and a dedicated .onion/mirror site beginning on 3 April 2016. The site framed the release as politically motivated, taunting the Turkish government over its data-security practices and reproducing the same fields for President Recep Tayyip Erdoğan and other officials.

Verification

Independent confirmation came quickly. The Associated Press ran ten non-public Turkish ID numbers against the dataset and matched eight to the correct names, establishing that the data was genuine rather than fabricated or recycled marketing.

Impact

49.6 million citizens had immutable identity data — national ID numbers, parentage, birth details, and home addresses — published in plaintext, freely downloadable.
Because a TC Kimlik No cannot be changed, the exposure created a permanent foundation for identity theft, financial fraud, and impersonation that no password reset could remediate.
The data has continued to circulate for years on forums and Telegram channels, feeding later Turkish breach ecosystems.

Official response

Turkish authorities largely minimized the incident. Then–Communications Minister Binali Yıldırım characterized it as an "old story" recycled from a 2010 episode in which officials had allegedly been selling registry fragments. The Justice Ministry opened an investigation, but no perpetrator was ever publicly identified and no remediation was offered to affected citizens.

Why it matters

The MERNIS leak is the foundational Turkish data-breach event: it demonstrated that a single centralized civil-registration database, once exfiltrated, can compromise an entire nation's population permanently. It also previewed a recurring pattern in Turkey — large government-held datasets leaking, official denial or minimization, and no accountability — that would repeat with the e-Devlet breaches years later.

Timeline

January 1, 2010

Earlier allegations surface that Turkish officials were selling fragments of the MERNIS civil-registration database; the government dismisses them.

April 3, 2016

A 6.6 GB torrent containing the leaked database is created and circulated; Turkish websites begin reporting the dump.

April 4, 2016

The leak goes global. A site hosted abroad offers the data for download in PostgreSQL format with a politically charged message mocking the Turkish government.

April 5, 2016

The Associated Press partially verifies the dump, matching 8 of 10 non-public Turkish ID numbers to names in the file.

April 6, 2016

Transport and Communications Minister Binali Yıldırım downplays the leak, calling it an 'old story' recycled from 2010.

April 6, 2016

The Justice Ministry confirms an investigation has been opened; no perpetrator is ever publicly identified.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/2016_MERNIS_scandal

cbc.cahttps://www.cbc.ca/news/science/turkey-hack-1.3521108

theregister.comhttps://www.theregister.com/2016/04/04/turkey_megaleak/

databreaches.nethttps://databreaches.net/2016/04/03/turkish-citizenship-database-leak/

blackmoreops.comhttps://www.blackmoreops.com/2016/04/05/turkish-citizenship-database-dumped/

Related incidents

Data breachResolvedJuly 19, 2016

AKP Emails data breach (2016)

In July 2016, a hacker known as Phineas Fisher hacked Turkey's ruling party (Justice and Development Party or "AKP") and gained access to 300k emails. The full contents of the emails were subsequently published by WikiLeaks and made searchable.

Victim: AKP Emails
Records: 917.5K

Data breachunresolvedJune 9, 2023

e-Devlet (e-Government Gateway) data breach

Turkey's central e-Government portal was harvested for the records of an estimated 85 million citizens and residents, with ID numbers, addresses, phone numbers, family links, health and financial data sold online and updated in near real time.

Victim: e-Devlet (Türkiye e-Government Gateway)
Records: 85.0M

Data breachResolvedSeptember 7, 2016

eThekwini Municipality data breach (2016)

In September 2016, the new eThekwini eServices website in South Africa was launched with a number of security holes that lead to the leak of over 98k residents' personal information and utility bills across 82k unique email addresses.

Victim: eThekwini Municipality
Records: 81.8K

Data breachResolvedApril 14, 2016

Mexican voter database exposure (Mexico, 2016)

A misconfigured MongoDB database left the full Mexican national voter roll — 93.4 million records including names, addresses, birthdates and national ID numbers — publicly accessible on Amazon's cloud with no password, for months.

Victim: Instituto Nacional Electoral (INE) — Mexican voter registry
Records: 93.4M