How Bulgaria got hacked
Data of almost every adult in the Balkan nation has been stolen in tax agency breach
The government of Bulgaria has revealed that a major data breach of servers at its national tax agency may have affected more than five million people - in a country with a total population of just 7.1 million.
Hackers are understood to have targeted Bulgaria’s National Revenue Agency (NRA) in an attack at the end of June that “may have continued for some time”, The New York Times reports.
According to tech new site The Next Web, the stolen information includes card details, Pin numbers, addresses and even income data.
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
The breach was kept secret until this week, when a number of Bulgarian news agencies received an email claiming responsibility for the massive breach.
The author of the email, who claims to be a Russian hacker, offered media outlets access to the stolen data but did reveal the motive for the attack. Describing the Bulgarian government as corrupt, the email said the breach had “compromised more than 110 databases”, including “critically confidential” information, Reuters reports.
Finance Minister Vladislav Goranov disputed the claims, insisting that the leaked information was not classified and did not endanger financial stability. Nevertheless, he apologised to the nation and stressed that anyone found trying to exploit the data “would fall under the impact of Bulgarian law”.
On Tuesday, Bulgarian authorities arrested a 20-year-old national on suspicion of involvement in the attack. He was identified by his lawyer as Kristiyan Boikov, an employee of US cybersecurity company TAD Group, which has office in the Bulgarian capital, Sofia.
Speaking at a government meeting on Wednesday, Prime Minister Boyko Borissov described Boikov as a “wizard”, The Guardian reports. The cybersecurity worker also made national news in 2017, after “exposing flaws in the Bulgarian education ministry’s website”, the newspaper adds.
Cybersecurity researcher Vesselin Bontchev, an assistant professor at Sofia’s Bulgarian Academy of Sciences, told Reuters it was “safe to say that the personal data of practically the whole Bulgarian adult population has been compromised” in the latest attack.
He noted that as “the first publicly known major data breach in Bulgaria”, the attack is likely to fuel debate over the country’s apparently lax cybersecurity infrastructure.
“The reason for the success of the attack does not seem to be the sophistication of the hacker, but rather poor security practices at the NRA,” said Bozhidar Bozhanov, chief executive at cybersecurity firm LogSentinel.
The Inquirer agrees that the breach “may have been down to vulnerabilities in the agency’s online tax filing system and generally poor cybersecurity practices”, and adds that such problems tend to be “a bit of a theme in governments who tend to end up with large and complex legacy systems”.
In cybersecurity terms, a legacy system can be defined as any system that is old enough to increase the vulnerability of the user to current technological threats. These systems may remain in place to avoid upgrade costs, because certain applications rely on the older version to function, or simply as a result of misplaced complacency.
The NRA is now facing a fine of up to €20m ($22.43m) over the hack under the European Union’s GDPR regulations, which came into effect in 2018. Under the new data protection law, the NRA could be fined up to 4% of its annual turnover.
And as Al Jazeera reports, this is no bluff. Earlier this month, British Airways was hit with a £183m fine - equivalent to 1.5% of the airline’s turnover - over a hack that led to the personal details of 500 million customers being compromised.
Create an account with the same email registered to your subscription to unlock access.
Sign up for Today's Best Articles in your inbox
A free daily email with the biggest news stories of the day – and the best features from TheWeek.com
-
Duchess of Gloucester: the hard-working royal you've never heard of
Under The Radar Outer royal 'never expected' to do duties but has stepped up to the plate
By Chas Newkey-Burden, The Week UK Published
-
Are 'judge shopping' rules a blow to Republicans?
Today's Big Question How the abortion pill case got to the Supreme Court
By Joel Mathis, The Week US Published
-
Climate change is driving Indian women to choose sterilization
under the radar Faced with losing their jobs, they are making a life-altering decision
By Theara Coleman, The Week US Published
-
Why are kidnappings in Nigeria on the rise again?
Today's Big Question Hundreds of children and displaced people are missing as kidnap-for-ransom 'bandits' return
By Julia O'Driscoll, The Week UK Published
-
Deaths of Jesse Baird and Luke Davies hang over Sydney's Mardi Gras
The Explainer Police officer, the former partner of TV presenter victim, charged with two counts of murder after turning himself in
By Austin Chen, The Week UK Published
-
How the idyllic Galapagos Islands became staging post in world drug trade
Under the radar Ecuador's crackdown on gang violence forces drug traffickers into Pacific routes to meet cocaine demand
By Harriet Marsden, The Week UK Published
-
Armed gangs, prison breaks and on-air hostages: how Ecuador was plunged into crisis
The Explainer Gangs launch deadly revenge after president declares state of emergency following escape of feared drug boss from prison
By Harriet Marsden, The Week UK Published
-
Ecuador tips toward chaos amid prison breaks, armed TV takeover
Speed Read New President Daniel Noboa authorized the military to 'neutralize' powerful drug-linked gangs after they unleashed violence and terror across Ecuador
By Peter Weber, The Week US Published
-
Prague shooting: student kills 14 people at university
Speed reads Police believe suspect, who killed himself, may have shot his father before carrying out mass murder
By Arion McNicoll, The Week UK Published
-
Ex-US diplomat confessed spying for Cuba to undercover agent, FBI says
Speed Read DOJ says former US ambassador Manuel Rocha perpetrated 'one of the highest-reaching and longest-lasting infiltrations of the United States government by a foreign agent'
By Peter Weber, The Week US Published
-
Death of first non-binary judge in Mexico instils fear in LGBTQ+ community
Under the Radar Jesús Ociel Baena's suspected murder reveals dangers to transgender and non-binary people
By Harriet Marsden, The Week UK Published