The personal and medical records of more than 364,000 people registered in the public health system of the Turkish Republic of Northern Cyprus (KKTC) have been exfiltrated and published on the dark web, according to reporting by the Turkish Cypriot newspaper Yenidüzen. Cybersecurity researchers based in the Netherlands have verified the authenticity of the leaked files and described the incident as one of the largest known data breaches in the territory. The exposed data spans citizens of 202 nationalities, including foreign nationals and Turkish citizens who received care in northern Cyprus.
What Happened
Attackers compromised data held by the Turkish Cypriot administration's health ministry and posted the stolen files to the dark web. Independent cybersecurity experts in the Netherlands confirmed the leaked material is genuine, lending credibility to the scope of the claims. The breach was significant enough to draw public acknowledgment from Transportation Minister Erhan Arıklı, who confirmed the allegations were being taken seriously.
Beyond the core health database, the threat actors made two additional claims. They asserted possession of a separate database identifying individuals diagnosed with HIV/AIDS, and they alleged they had obtained entry and exit records for roughly 340,000 people who traveled to northern Cyprus. Neither of these secondary claims has been independently verified, but they substantially raise the potential harm profile of the incident if true.
What Was Taken
The confirmed dataset includes both personal and medical records for more than 364,000 individuals registered in the KKTC public health system. The database reportedly contains records tied to people of 202 nationalities, with roughly 340,000 records indicating the exposure extends well beyond Turkish Cypriots to thousands of foreign nationals.
The sensitivity of this material is high. Health records combine immutable personal identifiers with intimate medical histories, and the additional unverified HIV/AIDS database and travel movement records would compound the risk dramatically. Researchers warned the information could be weaponized for identity theft, fraud, blackmail and stalking.
Why It Matters
Health-sector data is among the most damaging categories of stolen information because it cannot be reset like a password. For defenders, this incident underscores how a single government health system can become a one-stop repository of exploitable data on hundreds of thousands of people across more than 200 nationalities.
The political context sharpens the stakes. The KKTC is recognized only by Turkey, which complicates cross-border incident response, international law enforcement cooperation and victim notification. The presence of foreign nationals and Turkish citizens in the dataset means the fallout extends far beyond the territory's borders, and the alleged HIV/AIDS and travel records introduce acute risks of targeted blackmail and stalking against vulnerable populations.
The Attack Technique
The precise intrusion vector has not been disclosed in the available reporting. What is confirmed is the outcome: bulk exfiltration of a centralized health ministry database followed by publication on the dark web, a pattern consistent with either direct database compromise or exploitation of an exposed or poorly secured government system. The attackers' staged release and their claims to hold additional linked databases suggest sustained access rather than a smash-and-grab. Until the ministry publishes a technical post-incident analysis, the entry point should be treated as unknown.
What Organizations Should Do
- Audit and segment centralized health and identity databases so a single compromise cannot expose the entire population's records; isolate especially sensitive datasets such as HIV/AIDS status.
- Enforce encryption at rest and in transit for all health records, and ensure database credentials and access tokens are rotated and tightly scoped.
- Deploy data loss prevention and egress monitoring to detect bulk exfiltration of large record sets before they leave the network.
- Require multi-factor authentication and least-privilege access for all administrative and database accounts, and review third-party and vendor access paths.
- Stand up an incident response and breach notification process that accounts for cross-border victims, including foreign nationals, and engage credible external forensic verification early.
- Monitor dark web channels for leaked records and provide affected individuals with concrete guidance on identity theft, fraud, blackmail and stalking risks.
Sources: Turkish Cypriot administration data breach exposes health records on dark web - Turkish Minute