A bill regulating cybersecurity passed by Turkey’s parliamentary defense committee on Friday could make it a criminal offense to report on data breaches if it becomes law.
The legislation, proposed by ruling Justice and Development Party (AKP) lawmakers, introduces prison sentences of up to five years for those found guilty of creating the “false perception” of a data leak.
Critics say the law could be used to silence independent journalism and restrict public access to critical information about state-linked data breaches that have previously exposed millions of Turkish citizens’ personal information.
The proposal states that individuals or entities that “falsely create the perception of a data leak” could face imprisonment of between two and five years. AKP lawmakers argue that the existing disinformation law, enacted in 2022, does not sufficiently cover cybersecurity threats and claim the new provisions will help combat cybercrimes more effectively.
However, opposition lawmakers and media watchdogs warn that the law’s vague language could be exploited to suppress investigative journalism.
Main opposition Republican People’s Party (CHP) MP Tuncay Özkan criticized the AKP’s cybersecurity bill on X, saying that instead of the people who fail to protect data, the people who expose breaches to the public will face up to five years in prison.
AKP #sansüryasası'ndan sonra şimdi de 'algı oluşturma' suçuyla yine gazeteciliği cezalandıracak!
TBMM’deki #SiberGüvenlikKanunu ile 'veri sızıntısı olmadığı halde veri sızıntısı yapılmış gibi algı oluşturma' suçu oluşturuluyor!
Suçu işleyenlere 2 yıldan 5 yıla hapis cezası var! pic.twitter.com/oE6YGdSctO
— Utku Çakırözer (@utkucakirozer) January 15, 2025
CHP MP Utku Çakırözer condemned the AKP’s proposed cybersecurity law, stating that following the disinformation law, the government now aims to criminalize journalism by introducing a new offense of “creating the perception of a data breach.”
The disinformation law has already led to at least 66 investigations targeting journalists and over 4,500 probes into people accused of “spreading misleading information,” according to data from the Media and Law Studies Association (MLSA).
Major data breaches
The law comes in the wake of multiple large-scale data breaches that have undermined public trust in the government’s ability to secure sensitive information.
In September 2024 Turkey’s National Cyber Incident Response Center (USOM) reportedly discovered that hackers had uploaded a database containing the personal details of over 108 million Turkish citizens, including deceased individuals, to Google Drive. The leaked information included national ID numbers, addresses, phone numbers and other sensitive data.
Investigative journalist Ali Safa Korkut of Free Web Turkey first reported on the breach, revealing that the government sought Google’s assistance in containing the leak through an official letter titled “Dear Google Team.”
The revelation fueled criticism of the state’s handling of cybersecurity as well as concerns about the sale of stolen data on illicit online marketplaces for as little as $5 per record.
Documentary reveals government’s poor handling of personal data
A documentary released Tuesday on the YouTube channel of 140journos, an İstanbul-based media outlet that produces and publishes visual stories, documentaries and qualified research on a wide range of issues about Turkey, reveals serious security flaws in Turkey’s government databases, particularly in HSYS and e-Nabız, the national health data repositories.
The documentary, titled “Panel,” traces the origins of a major data breach to online gaming communities, where young people — some as young as 15 — developed hacking skills that led them into illegal activities. The central figure, going by the nickname “Adanalı,” and his associates allegedly exploited weaknesses in government databases, accessing personal medical records, identity information and phone numbers of millions, including government officials and intelligence personnel.
The most shocking claim in “Panel” is that the government health service website’s authentication system was so poorly secured that verification codes — intended to be sent via SMS — were visible in the website’s front-end code. By simply pressing F12 and opening developer tools in a web browser, attackers could extract the codes, log in as legitimate users and access vast amounts of personal health data.
This flaw represents a severe failure in cybersecurity practices, as sensitive authentication details should have been securely handled by back-end servers, not exposed in the front-end interface.
After gaining unauthorized access, these hackers allegedly created Libra, an underground data marketplace that utilizes artificial intelligence where stolen information was classified and eventually bought and sold. The documentary describes Telegram and Discord channels where criminals trafficked personal records, enabling identity theft, digital extortion and financial fraud.
Data breaches reportedly extended beyond health records, affecting government institutions, private companies and financial services, exacerbating the scale of the cybersecurity crisis in Turkey.
According to the documentary, the vast amount of data ended up in the hands of criminal networks, who then sold the information to those willing to pay.
The documentary details harrowing personal stories of individuals affected by data leaks. Victims allegedly faced blackmail and cyberbullying, with some suffering severe emotional distress. One tragic case involved a teenage girl who took her own life after being blackmailed.
The documentary garnered over a million views on YouTube in just two days, sparking outrage among Turks who took to social media to express indignation over poor handling of their personal data by the government.
Following the public reaction, the Turkish Ministry of Health denied the claims made in “Panel,” claiming that no breach occurred in e-Nabız and that the system was never shut down due to security concerns as alleged in the film. Officials argued that the scale of the database made it impossible for data to be extracted and stored on personal devices.
However, the documentary suggests that government negligence and poor cybersecurity policies enabled these breaches. It accuses officials of failing to acknowledge vulnerabilities and ignoring warning signs of growing cyber threats.
Beyond the specific breaches, “Panel” raises broader concerns about Turkey’s digital security infrastructure. The film argues that Turkey’s cybersecurity lacks proper regulatory oversight, exposing citizens to identity theft, financial fraud and surveillance risks.
The documentary calls for urgent reforms, emphasizing that without stronger data protection laws and independent oversight, similar breaches could occur in the future.
Expanded powers for cyber investigations
The cybersecurity bill also grants authorities sweeping new powers to conduct searches, seize electronic devices and impose administrative fines without judicial oversight in cases deemed urgent. Prosecutors or the head of the newly established Cybersecurity Directorate will have the authority to order home and office searches in cases involving suspected cyber threats.
CHP MP Çakırözer warned that the proposed bill grants the Cybersecurity Directorate unrestricted and unsupervised access to all data, information and log records from civil society, companies, municipalities and individuals, posing a serious threat to privacy and personal data in violation of the constitution.
The law also establishes a Cybersecurity Council, which will oversee national cybersecurity strategies and have the authority to impose restrictions on digital services. Critics argue that the council, which will operate under the direct supervision of the presidency, lacks independence and could be used to suppress online dissent.
In previous years, journalists including İbrahim Haskoloğlu and Cevheri Güven have reported on systemic vulnerabilities in Turkey’s cyber infrastructure, including the use of pirated software in government facilities. Haskoloğlu was arrested in 2022 after exposing a data breach affecting government databases.