A compressed Gzip tarball ( .tar.gz ) containing raw SQL databases.
// Example structure for querying the official service try $client = new SoapClient("https://tckimlik.nvi.gov.tr/Service/KPSPublic.asmx?WSDL"); $response = $client->TCKimlikNoDogrula([ 'TCKimlikNo' => $_POST['tc_no'], 'Ad' => $_POST['first_name'], 'Soyad' => $_POST['last_name'], 'DogumYili' => $_POST['birth_year'] ]); if ($response->TCKimlikNoDogrulaResult) echo "Identity is valid."; else echo "Identity is NOT valid.";
According to reports and discussions on platforms like DonanımHaber Forum , the SQL dump was believed to contain the following sensitive personal information: Turkish Republic Identity Number. Adı ve Soyadı: First and Last Name. Anne ve Baba Adı: Mother and Father's Name. Doğum Yeri ve Tarihi: Place and Date of Birth. Adres Bilgileri: Registered Residential Address. Security Implications and Risks mernis.tar.gz
Security notes
Technically, a file with the .tar.gz extension is a —a collection of files packaged together using the tar command and compressed with gzip . It is a common archive format in Linux systems designed for storing multiple files into a single, compact archive. A compressed Gzip tarball (
Full Names: First, middle, and last names of citizens.National ID Numbers: The 11-digit T.C. Kimlik No used for all legal and state transactions.Gender: Biological sex markers.Place of Birth: Specific city and district information.Date of Birth: Exact birth dates.Full Addresses: Registered residential locations.Parental Names: Names of the mother and father. Security and Political Implications
However, if the file is unencrypted, located in a public directory ( /var/www/html , /backup/public ), or accessible over the internet, the assumed intent is malicious until proven otherwise. Anne ve Baba Adı: Mother and Father's Name
Technical strategies for against mass data scraping.
mernis.tar.gz remains a stark reminder of the permanent nature of data leaks. Once digital identity data is pushed to the public web, it cannot be pulled back. The incident forced Turkey to radically overhaul its cyber defense strategies, leading to the enforcement of the Personal Data Protection Law ( KVKK ) in 2016 and the mandatory adoption of secure, chip-enabled national ID cards. However, for the 50 million citizens whose data was zipped into that infamous archive, the digital echoes of the breach continue to demand heightened vigilance.
Because the data is in SQL format, it is relatively easy for malicious actors to import it into a database management system to create searchable tools, often referred to as "query panels," allowing anyone to look up personal data by national ID. Technical Implications of the File Size