BIRN digital rights monitors documented several cyberattacks and data breaches across the Western Balkans and Turkey, targeting public institutions and private entities, with serious implications for services, infrastructure, and the security of data and digital assets.
Foreign-linked hacker attacks on critical infrastructure exposed enduring institutional vulnerabilities. In March 2026, Iranian-linked hackers from the group Homeland Justice claimed responsibility for cyberattacks against two Albanian institutions. They targeted parliament and the Albanian Post, publishing data and e-mail correspondence of parliamentary members and postal representatives on Telegram.
The attack on parliament was described in a public statement as “sophisticated” but that the “main working infrastructure has not been affected”. According to the AKSK, the cyberattack on parliament had significant operational impact, and aimed to delete data and servers and to obtain and exfiltrate sensitive information. AKSK also confirmed the attack on the postal service and launched an investigation into its scope and sources.
These incidents underscore persistent threats to Albania’s critical state infrastructure, continuing a pattern of many attacks attributed to the hacker group since 2022. That year, major cyberattacks reportedly carried out by Iran targeted the Albanian government in retaliation for hosting Iranian dissidents, ultimately leading to the severing of diplomatic ties between the two countries.
Experts have criticised the repeated cyberattacks on Albania’s infrastructure as a sign of systemic negligence, noting that basic security measures have not been implemented despite prior incidents. They emphasise that the ease of these attacks reflects institutional failure rather than hackers’ sophistication.
In North Macedonia, a report by cybersecurity watchdog Ctrl Alt Intel identified that at least one government email domain (gov.mk) had been compromised by the Russian hacker group Fancy Bear, believed to be linked to Russian military intelligence. The government indicated no incident had been officially recorded and suggested the email addresses might have been obtained from public sources. However, experts warned that the presence of sensitive addresses (reportedly including from the Ministry of Defence) in Fancy Bear’s materials signals potential targeting of state institutions, highlighting persistent risks to critical infrastructure. In 2024, North Macedonia joined Western sanctions against Russia and sent weapons and equipment to Ukraine.
In March, BIRN monitors also recorded significant data breaches affecting major telecom and internet service providers across the Western Balkans and Turkey. These leaks exposed the personal data of hundreds of thousands of individuals.
In Serbia, Telekom Srbija suffered a major data breach affecting over 600,000 users. The leaked information included names, addresses, apartment and floor numbers, mobile numbers, and unique personal identifiers, while the attackers attempted to extort the company by threatening to publish the stolen data. The company coordinated with the Ministry of Interior, and investigations were launched by both law enforcement and the Commissioner for Information of Public Importance and Personal Data Protection.
A similar breach occurred in Turkey, where Turkcell Superonline, a major internet service provider, experienced a data leak exposing 300,000 customers’ personal information, including names, identification numbers, contact details, and subscription information. The breach was detected through dark web monitoring. Investigations into the origin and scope of the incident are ongoing.
Both cases reveal critical weaknesses in customer data security, placing affected individuals at risk of identity theft, financial fraud, and targeted phishing.
In Albania, risks related to data breaches have already moved beyond the theoretical and into tangible harm. According to the state police, an individual’s financial identity was stolen and used to open a fraudulent bank account, enabling unauthorised debit card transactions carried out in Spain.
Overall, these registered incidents across the Western Balkans and Turkey reflect a broader trend of increasingly sophisticated cyberattacks and data breaches targeting both public and private sector infrastructure. Attackers are exploiting systemic vulnerabilities in IT systems, critical databases, and communication networks, often combining espionage, financial extortion, and public exposure of sensitive data. The consequences extend beyond immediate financial or personal data loss and threaten public trust in institutions and raise national security concerns.
Governments and companies must take responsibility and make cybersecurity and data protection a priority in order to address longstanding failures that have left people exposed.
As things stand, privacy in the region increasingly feels like a luxury rather than a guaranteed right.
