 public health system have been exposed on the dark web, according to the Turkish Cypriot Yenidüzen newspaper.){kind=link}
The personal and medical records of more than 364,000 people registered in the Turkish Republic of Northern Cyprus (KKTC) public health system have been exposed on the dark web, according to the Turkish Cypriot Yenidüzen newspaper.
Cyprus has been divided since 1974, when a Turkish military intervention followed a coup in Nicosia backed by Greece’s then military junta. The KKTC, declared in 1983, is recognized only by Turkey.
The breach affects data held by the Turkish Cypriot administration’s health ministry and includes citizens as well as foreign nationals who have received healthcare in northern Cyprus. Cybersecurity experts based in the Netherlands said they had verified the authenticity of the leaked files and described the incident as one of the largest known data breaches in the territory. They warned that the information could be used for identity theft, fraud, blackmail and stalking.
The database reportedly contains records from people of 202 nationalities and 340,000 records suggesting the breach extends beyond Turkish Cypriots to thousands of foreign nationals, which includes Turkish citizens who have used the territory’s healthcare system.
The hackers also claimed to possess a separate database containing information on people diagnosed with HIV/AIDS, although the claim has not been independently verified. They further alleged that they had obtained entry and exit records for approximately 340,000 people who traveled to northern Cyprus.
Transportation Minister Erhan Arıklı acknowledged that the allegations could be true and said the Information Technologies and Communications Authority was investigating the incident.
“This is an allegation. We are investigating it. Is it possible? Yes, it is,” Arıklı said.
He added that government institutions had previously been targeted by cyberattacks and acknowledged that the administration lacked sufficient technical personnel to respond effectively. Arıklı said officials had requested cybersecurity assistance from Turkey and had begun setting up a new cyber defense unit.
Although officials initially said they had found no evidence of a breach, Yenidüzen later published screenshots from a dark web forum showing hackers advertising the stolen data.
In the post the attackers identified themselves with nicknames and claimed responsibility for leaking the KKTC health database.
The hackers said the database contained about 340,000 records with personal information, including names, identity numbers, birthplaces, addresses and family details. The post also claimed the group had obtained data on people diagnosed with HIV/AIDS but had chosen not to release it.
The Chamber of Computer Engineers called for an independent investigation, saying the incident should be treated as a matter of public safety and national security rather than solely an information technology issue. The organization also criticized the failure to establish a long-discussed national cybersecurity strategy as well as as monitoring centers, arguing that institutional weaknesses had left public systems vulnerable to cyberattacks.
The Cyprus Turkish Medical Association warned that if confirmed, the breach would be the largest data leak in the territory’s history.
The association’s chair Özlem Gürkut said public trust could not be restored if citizens’ most sensitive personal information was left unprotected. She called on the government to disclose when the breach was first detected, whether biometric data had also been compromised and who would be held accountable.
The Turkish Cypriot main opposition Republican Turkish Party (CTP) accused the government of failing to protect state systems. CTP leader Sıla Usar İncirli said hackers had effectively been operating inside government networks without detection and questioned whether officials knew who controlled citizens’ personal data.
CTP lawmaker Ürün Solyalı said cyberattacks were an unavoidable reality in the digital age but argued that governments were responsible for building adequate defenses. He accused the administration of leaving institutions responsible for e-government services and personal data protection without sufficient funding, staff or legal regulations.
The leaked database first appeared on a dark web forum on January 8 and remained publicly accessible for months before the breach came to greater public attention. Opposition politicians questioned why the public had not been informed sooner if the data had been available online for nearly six months.
The breach also raises questions about the security of the Turkish Cypriot administration’s Turkey-backed digital government infrastructure. The KKTC e-government portal is formally operated by the Prime Ministry’s Digital Transformation and Electronic Government Authority, while Turkey’s state-owned Türksat has played a central role in building and integrating the system, including e-health services.
The Turkish Cypriot case adds a cross-border dimension to criticism that Turkey and institutions tied to it have failed to protect personal data. In September 2024 Turkey’s National Cyber Incident Response Center (USOM) reportedly found that hackers had uploaded a database containing the personal details of more than 108 million Turkish citizens, including deceased people, to Google Drive, exposing national ID numbers, addresses, phone numbers and other records.
Public anger over Turkey’s data security record grew further after “Panel,” a documentary released by the İstanbul-based media outlet 140journos, alleged that hackers exploited flaws in government health databases to access medical records, identity information and phone numbers belonging to millions of people. The documentary claimed that some stolen information was later sold through underground online marketplaces.