ÖSYM Cyber Breach: Students’ University Preferences Hacked and Altered Before Deadline

A shocking cyberattack targeting Türkiye’s Student Selection and Placement Center (ÖSYM) has raised questions about the security of one of the country’s most critical digital education systems. According to reports, unauthorized access was gained to the ÖSYM online portal, and the university preference lists of several students were changed without consent just minutes before the selection deadline expired.

The incident came to light after four students filed complaints, leading to a lawsuit at the Ankara 24th Administrative Court. However, officials suspect that many more students may have been affected by the breach.

Unauthorized Access During Final Minutes of Preference Period

As journalist İsmail Saymaz reported in Halk TV, the breach occurred late on August 13, the final night of the university preference period. Just before the system closed, hackers infiltrated the ÖSYM database and altered several students’ submissions.

One of the first identified victims was C.Ş., a student from İzmir, who ranked 23,000th in the quantitative track of the national university exam and was eligible for medical school placement. On the last day of submissions, C.Ş. logged in with his father to finalize his list — filling his top 22 choices with public university medical schools and the last two with dentistry programs.

He submitted the form at 11:28 p.m. But when he logged back in at 12:07 a.m., he found that his list had been completely altered: all medical schools were deleted, replaced with elderly care programs at private universities.

The family immediately contacted the police, filed complaints with CİMER (Presidency Communication Center) and the İzmir Chief Public Prosecutor’s Office, and submitted a petition directly to ÖSYM headquarters in Ankara. A lawsuit was later filed against the institution.

Same IP Used to Access Multiple Accounts

An investigation revealed that C.Ş.’s account was accessed from an IP address registered to a man named M.H.C. living in Istanbul’s Ümraniye district. The suspect denied involvement, claiming he was not home during the incident and had no connection to the victims. He now faces trial for “illegally obtaining and using personal data.”

Further analysis by the court uncovered that this same IP address had also been used to access the accounts of three other students — identified as Y.S. from Giresun, M.B. from Hatay, and E.N. from Istanbul. While the port numbers differed, the origin was the same — suggesting a coordinated cyber intrusion rather than isolated cases.

Possible Large-Scale Cyberattack

The ÖSYM response to the court’s inquiry confirmed that multiple complaints had been received, undermining earlier claims that the breach was a one-off incident. The pattern across the cases was identical: in each instance, the students’ original choices were replaced with private university programs in elderly care, a move that could benefit specific institutions financially.

Adding to suspicions, login attempts from IP addresses traced to Ukraine and Russia were recorded on the victims’ e-Devlet (Turkish e-government) accounts shortly before the preference changes occurred — indicating that the hackers may have exploited international proxy networks or compromised credentials.

Cybersecurity experts say the case shows how critical exam and placement systems remain vulnerable to targeted attacks, especially during high-stakes periods like university admissions. “The fact that these changes were made within minutes of the deadline suggests insider knowledge or precise timing,” one analyst commented, urging the government to audit data access and logging mechanisms within ÖSYM’s servers.

Broader Implications for Data Security

The incident has triggered public outrage and institutional embarrassment, with parents and students demanding accountability. Lawmakers have called for a parliamentary investigation into ÖSYM’s cybersecurity measures, arguing that such breaches could undermine trust in the national examination system, which processes millions of students annually.

Legal experts note that if proven systemic, this case could lead to compensation claims and potential criminal charges for negligence within ÖSYM’s IT administration.

While only four confirmed victims have come forward, digital forensic findings suggest the real number could be much higher. Authorities are now working to determine whether the breach was financially motivated, politically influenced, or linked to a larger network of educational fraud.