Image by Arzu Geybullayeva, created using Canva Pro.

Since August 4, Turkey has been gripped by revelations of a wide-ranging forgery network accused of producing fake university diplomas, altering academic records, and even manipulating driver’s license exams. According to prosecutors, suspects infiltrated Turkey’s e-government system, e-Devlet (e-State), by fraudulently obtaining electronic signatures belonging to senior officials at ministries, universities, and regulatory agencies.

With these stolen digital credentials, they created fake university diplomas in law, psychology, and civil engineering; altered transcripts to boost students’ grades or facilitate transfers; and even tampered with driver’s license tests, registering failing candidates — including some who were illiterate — as successful.

According to The Financial Times, “Among the most scandalous items was a supposedly fake degree issued to a civil engineer whose company has won major infrastructure tenders, and the stolen identities of lawyers who died in the massive 2023 earthquake.”

Turkey's long history of data leaks

Turkish citizens have long been exposed to personal data breaches, including one in 2016, when the personal data of some 50 million people — names, addresses, parents’ first names, cities of birth, birth dates, and national ID numbers — were leaked. The following year, some 60 million subscribers of Turkey's major Global System for Mobile Communications (GSM) operator, Turkcell, had their personal data breached.

In 2021, a cyberattack on the country's biggest food delivery app, Yemeksepeti, resulted in a leak of the data of 19 million customers, including logins, phone numbers, emails, and address information. In 2023, following a hack on the country's main public administration portal, the personal data of 85 million Turkish citizens and millions of residents were also leaked.

By 2024, a cyber attack on the information management system of a local hospital in Istanbul resulted in a leak of the medical records of millions of patients. That same year, Turkish authorities revealed that a data breach during the pandemic led to the stolen data of over 100 million citizens, including those living abroad, refugees, and other individuals whose names were registered with official institutions.

January 2025 also saw a breach of satellite data; by March, Turkey adopted a new cybersecurity law, which introduced stringent measures such as criminalizing reporting on data leaks and granting extraordinary powers to the head of the newly created Cybersecurity Directorate. At the time, critics argued that the law's vague and far-reaching language places disproportionate emphasis on controlling online narratives rather than securing digital infrastructure. The Council of Higher Education (YÖK), a government institution in charge of supervising the universities, later announced it had filed criminal complaints against individuals and institutions spreading such allegations.

The Interior Ministry, meanwhile, confirmed it was aware of the most recent breach. Through the details were only made public in August, the ministry started an investigation a year ago and have already detained nearly 200 suspects in connection with the breach. In a tweet on X, the Minister of the Interior said at least 57 fake diplomas, 108 forged driver’s licenses, and four counterfeit high school diplomas were uncovered as a result of these ongoing investigations.

On August 6, Tülay Hatimoğulları and Tuncer Bakırhan, co-chairs of the Peoples’ Equality and Democracy Party (DEM Parti), submitted a complaint to the Ankara Chief Public Prosecutor requesting a comprehensive criminal investigation into both individuals and state institutions involved in the breach.

Institutional backlash and denials

As news of the scandal spread, YÖK firmly denied the reports, saying that none of the suspects under investigation worked as academics in Turkish universities.

Calling for full accountability and the harshest penalties for those responsible, the Istanbul Bar Association described the scandal as both a blow to public order and a “grave disrespect” to colleagues who lost their lives in the earthquakes, whose academic records were unlawfully altered.

The Union of Chambers of Turkish Engineers and Architects (TMMOB) called it one of the most severe forgery cases in the history of the republic, linking it to years of eroded meritocracy and weakened oversight. “This is not an isolated incident,” TMMOB chair Emin Koramaz said, “but a manifestation of systemic decay where public trust has been undermined and professional standards ignored.”

Demanding accountability, including resignations and the initiation of an independent technical review, the Chamber of Computer Engineers (BMO) highlighted how copied e-signatures exposed serious flaws in digital infrastructure, while the Turkish Psychologists Association (TPD) pointed to alarming cases of fake psychologists treating patients for fees, warning that such practices put public health at risk and renewing calls for a long-delayed professional law.

The DEM Parti's Nurdan Kılıç underlined that the scandal is not simply a case of isolated wrongdoing, but a multi-dimensional criminal structure that has penetrated various tiers of the state, undermining public order, trust, and meritocracy. The diploma scandal has emerged alongside other forgery investigations, including allegations that civil registry officials issued fake passports and IDs to foreign nationals in exchange for bribes.

For many observers, the affair underscores a broader structural problem: the weakening of oversight, the neglect of merit-based systems, and the erosion of accountability.

At a press conference, Suat Özçağdaş, the Istanbul deputy and party vice chair of the Republican People's Party (CHP), sharply criticized the Information and Communication Technologies Authority (BTK) and its president, Abdullah Karagözoğlu, who is responsible for cybersecurity: “He didn’t even notice his own e-signature being duplicated. If he had any sense of shame, both the Minister of Transport and the BTK head would have resigned by now. They haven’t said a word. It’s like the Ministry of Agriculture is responsible for cyber-security.”

On August 7, the BTK shared a public announcement that stated “35 fraudulent e-signatures detected by BTK were immediately canceled, and in subsequent efforts, 9 additional fraudulent e-signatures were also revoked.” The statement continued, “Security mechanisms against fraud have been enhanced, and stronger measures have been implemented. To raise public awareness, an SMS with a header containing the Elektronik Sertifika Hizmet Sağlayıcı [Electronic Certificate Service Provider] title was sent to all mobile numbers registered to the [national] identity numbers of Nitelikli Elektronik Sertifika [secure electronic signature] holders.”

This however, rang hollow and the CHP continued to criticize the BTK in its continued calls for accountability. “When such a scandal breaks, the relevant minister — and anyone else in the chain of responsibility — should all resign,” said CHP Vice Chair and Istanbul deputy Ulaş Karasu on August 8.

“BTK, responsible for data security,” he continued, “cannot shirk responsibility with its two-line statement. The question ‘Which chain of institutional neglect across which state bodies caused these data breaches?’ must be answered first by the Ministry of Transport, its minister, and all related institutions.”

The BTK is quite controversial. In 2022, the online news platform Medyascope.tv published an investigation revealing that, beginning in 2021, the state institution was collecting private user data in a massive breach of privacy.

On August 8, the Cumhuriyet newspaper published an interview with a member of the diploma forgery gang, who admitted that the network’s operations went far beyond diplomas. The interviewee, who spoke on condition of anonymity, revealed that the gang also forged the identities of judges, prosecutors, soldiers, and police officers, as well as press cards, pregnancy and ultrasound reports, and disability health reports. The age group of their “clients” ranged from 23 to 48 years old — citizens who were already active in the workforce and were seeking diplomas for promotion, status, or egotistical reasons.

Fixing the problem

More than a series of individual crimes, the diploma forgery scandal is a symptom of systemic weaknesses in Turkey’s digital infrastructure, oversight mechanisms, and accountability structures.

From stolen e-signatures to altered diplomas and compromised personal data, the controversy has exposed how easily public trust can be undermined when institutions fail to safeguard both meritocracy and privacy. Addressing these vulnerabilities will require not only technical fixes and stronger cybersecurity measures, but also clear accountability, legal reform, and a commitment to transparency.

Without such measures, Turkey risks further breaches that could erode confidence in its institutions and compromise the safety and rights of its citizens.