In October this year, the email addresses and phone numbers of more than 5,000 individuals named in a database of the Turkish Business Association were listed for sale on a hacker forum; a month later, buyers were offered the personal data of more than 1.7 million Turkish students, while multiple credit card data leaks surfaced on dark web forums through November and December.
Yet the year began with the promise of a crackdown on cyber crime, to be led by a Cybersecurity Presidency created in January in line with a comprehensive Cybersecurity Law adopted in March.
Turkey has produced four separate cybersecurity strategies over the past decade, but the architecture on paper has not translated into protection in practice, experts say.
As data breaches continue to expose tens of millions of people, experts say the root causes lie not in technology but in governance, culture and coordination.
“Most organisations can buy the tools they need, and the number of skilled professionals is increasing,” said Nur Seker, a cybersecurity consultant.
“The real challenges, in my view, are more about governance, culture, and how different actors in the ecosystem coordinate with each other.”
Denial first
Recent years have brought a string of major data breaches in Turkey, targeting, among other institutions, the health ministry and the e-Government [e-Devlet] portal.
In June 2023, when a website began openly selling stolen e-Government data, including those of President Recep Tayyip Erdogan, officials denied any breach had occurred. Ali Taha Koc, then head of the Digital Transformation Office, told parliament that such a leak was “technically impossible”, only for a cabinet minister to come clean in September 2024, saying “some data was unfortunately obtained” during the COVID-19 pandemic, but that it “could not have been prevented”.
Ziyahan Albeniz, a journalist and cybersecurity researcher, said the response was always the same: denial, followed by “vague acceptance”.
“This tells us something fundamental,” he said: “In Turkey, an incident response culture which is based on rapid verification, transparent communication, damage mitigation, and accountability, has not yet become an institutional standard.”
Previously, cybersecurity was coordinated by the Cybersecurity Department within the Digital Transformation Office.
On January 8 this year, however, a standalone Cybersecurity Presidency was created by presidential decree, reporting directly to Erdogan.
The new body was given broad authority to formulate national cybersecurity strategy, oversee cybersecurity across public and private sectors, coordinate incident response, and determine which entities qualify as critical infrastructure. Nevertheless, it took until late October to appoint a director.
Shooting the messenger
Critics of the new Cybersecurity Law, adopted in March, say it goes after the wrong person – the messenger, rather than the hacker or the official responsible for keeping data safe.
The practice was already well-established: in April 2022, for example, journalist İbrahim Haskologlu was arrested after reporting that hackers had got their hands on the personal data of Turkish citizens held in government databases.
Haskologlu had been contacted by a hacker group two months earlier and published redacted images of what he said were the national ID cards of Erdogan and Hakan Fidan, the then head of Turkey’s National Intelligence Organisation, MIT, as proof that the breach was real.
Haskologlu was detained, held for eight days, and charged with “illegally obtaining and disseminating personal data”. He was acquitted, but left Turkey in late 2024 following a slew of death threats.
The New York-based Committee to Protect Journalists, CPJ, said Turkish authorities “should be more concerned with the alleged hacking of government databases than the journalists who are covering it”.
The new Cybersecurity Law criminalises “producing or disseminating false content suggesting a data breach”, punishable by between two and five years in prison.
Albeniz said the provision appears designed to prevent public panic, but in practice can be used to silence legitimate reporting.
“Even before this law, we witnessed a journalist being detained over reporting a data breach only for the information in question to later be implicitly confirmed,” he said, in reference to the Haskologlu case.
“In practice, the greatest risk is this: such regulations may push well-intentioned researchers, journalists, and civil society actors into silence out of fear.”
“From my perspective, this provision prioritises the protection of institutional reputation over the protection of citizens,” Albeniz told BIRN.
Box-ticking approach
The sale of Turkish citizens’ private data on the dark web. Photo: Screenshots from dark web.
Turkey’s primary legal framework for data protection is the Personal Data Protection Law, enacted in April 2016 shortly before the EU’s own General Data Protection Regulation, GDPR.
The law established the Personal Data Protection Authority as an independent supervisory body, created a mandatory Data Controllers Registry, VERBIS, and introduced breach notification requirements obliging controllers to inform authorities within 72 hours of discovering an incident.
On paper, the framework appears to reflect EU standards. In practice, enforcement has focused more on punishing firms that failed to register with VERBIS than on preventing breaches.
In August 2024, the Authority said it had fined over 16,000 organisations a total of 503 million Turkish lira [roughly 10 million euros], not for security failures but primarily for failing to register with VERBIS.
Turkey’s law lacks the mandatory Data Protection Impact Assessments found within the GDPR or the EU’s requirement for Data Protection Officers.
Seker, the cybersecurity consultant, said Turkey’s Personal Data Protection Law “gives Turkey a solid legal foundation, but the ecosystem still needs more consistency in transparency, reporting, and sector-wide standards”.
“Many industries don’t yet have mandatory minimum security requirements,” she said, but pointed also to a deeper problem of the security culture.
“Another challenge is the habit of treating audits as a ‘box-ticking’ exercise,” Seker told BIRN.
“When documentation becomes the main focus, it’s hard to understand an organisation’s real security posture. This also shows up in third-party reviews: security testing, independent validation, and technical assessments aren’t always required, which can cause supply-chain risks to go unnoticed.”
“In many organisations, cybersecurity is still treated as something the IT department handles rather than a strategic responsibility,” Seker said. “Because of this, essential processes like security vulnerability patching, access control, and data classification tend to stay on paper. Decisions are often based on gut feeling rather than data because national risk scoring, measurable security KPIs [key performance indicators], and broad threat-intelligence sharing are still limited.”
The core issue, she said, is “maturity of governance, security culture, and data-driven decision-making”.
To improve, Turkey should introduce “performance-based audits, clearer supplier assessment standards, and more structured breach-reporting processes”.
Reputations over rights
Albeniz identified three areas where Turkey’s approach diverges from standard practice in Western Europe, even when the legal frameworks are similar: reporting, oversight and public communication.
“Under the GDPR, the rule is clear: data controllers must notify the supervisory authority without undue delay, and where feasible within 72 hours of becoming aware of a breach,” he said.
“Similar legal provisions exist in Turkey as well. However, the natural extensions of this process, accountability, taking responsibility, and when necessary suspensions or sanctions are often treated as if they were merely ‘Western customs’ and therefore optional.”
In terms of independent oversight, “in well-functioning democracies, regulators, parliaments, independent authorities, and courts treat data breaches not as matters of reputation, but as issues of public safety and fundamental rights”, said Albeniz. That is not the case in Turkey.
And when it comes to alerting the public, “in Western democracies, citizens are clearly informed: What happened? Which data was affected? What should I do now?”
In Turkey, however, “the dominant reflex is often denial or downplaying”, said Albeniz.
“When this posture is adopted directly by the authorities themselves, it is particularly disheartening.”
‘Little cooperation’ between public and private entities
Turkey has published four consecutive national cybersecurity strategies since 2013, each stressing the importance of collaboration between public and private actors to the protection of critical infrastructure and creation of a resilient ecosystem.
However, the country’s current cybersecurity architecture remains stubbornly vertical: the Information and Communication Technologies Authority, BTK, oversees telecommunications infrastructure; the National Cyber Incident Response Center, USOM, handles incident response; the new Cybersecurity Presidency should set policy; the Personal Data Protection Authority enforces privacy law; and sector-specific ministries and the military each maintain their own IT systems with varying security standards.
In a report published in September, the Organisation for Economic Cooperation and Development, OECD, stressed the importance of horizontal coordination across government, not vertical hierarchies operating in silos.
It cited three essential elements: clear objectives adopted at the highest level of government to strengthen digital security; governance mechanisms that allocate responsibility across sectors; and “whole-of-government domestic coordination to establish intra-governmental cooperation, ensure consistency of the measures adopted across sectors, allocate resources across responsible government bodies and create a critical mass of expertise and skills”.
“Coordination across governmental agencies and a clear definition of responsibility and mandates between them are essential,” the report stated, and cited the example of Denmark, where overarching policy is the responsibility of the finance ministry but each ministry responsible for a critical sector is required to develop a specific sub-strategy in its area of competence. Such an approach balances central coordination with sectoral expertise.
The new Cybersecurity Presidency is explicitly tasked with “facilitating collaboration among government agencies, private sectors, and international stakeholders” and ensuring coordination across entities.
But the structure remains fundamentally vertical: the new body reports directly to the president, centralising authority in a single entity rather than distributing responsibility across sectors. Unlike the Danish model, in which each ministry develops its own sub-strategy within its area of competence, Turkey’s framework concentrates policy, oversight, and enforcement in one institution.
In a 2022 study, Nezir Akyesilmen, a professor of International Relations at Selcuk University, said that while Turkey’s various national cybersecurity strategies have been based on the need for public and private entities to work together, “in practice, there has been little cooperation”.
He noted the absence of private sector representatives on the Cybersecurity Board, a government body composed of officials from various ministries and government agencies, or in Turkey’s regulatory institutions, and that public and sectoral incident response teams lack private participation.
Seker cited the example of the United States, where the Cyber Security and Infrastructure Security Agency, CISA, “works openly with companies like Microsoft, joins events with them, and helps support local product ecosystems”.
“Turkey has many promising local cyber vendors and developers, but public-sector collaboration and visible support are not yet where they need to be.”
“During major incidents, many companies hesitate to share information with authorities, which slows down national coordination, even though public institutions are often in the best position to help.”
A stronger partnership model, Seker argued, would include shared mandatory breach-reporting mechanisms, sector-specific minimum security standards, a national threat-intelligence sharing platform, regular joint exercises between security operations centres and incident response teams, supply-chain security certification for critical sectors, and transparent audit processes.
Albeniz agreed that institutional structures alone cannot close the gap between strategy and practice.
“Establishing institutional structures such as strategies, presidencies, councils is important,” he said. “But success in cybersecurity is measured not on paper, but in live production environments.”
He gave several reasons as to why breaches continue despite a decade of official frameworks: perverse incentive structures that encourage institutions to conceal risks rather than disclose them early; legacy systems across platforms which involve extensive supply chains, subcontractors, and authentication integrations that expand the attack surface; and a lack of maturity in disciplines such as zero trust architecture, which requires continuous verification of every user and device rather than assuming anything inside the network is safe, as well as strict controls over who has privileged access to sensitive systems, and how to manage third-party access to the networks.
Asked whether Turkey’s data security problem is primarily technical, governance-related, or political, Albeniz replied: “It would be misleading to reduce this problem to something purely ‘technical’. Transparent notification, independent oversight, corrective action tracking, and clear responsibility chains are essential.”
