The government of Bulgaria has revealed that a major data breach of servers at its national tax agency may have affected more than five million people - in a country with a total population of just 7.1 million.
Hackers are understood to have targeted Bulgaria’s National Revenue Agency (NRA) in an attack at the end of June that “may have continued for some time”, The New York Times reports.
According to tech new site The Next Web, the stolen information includes card details, Pin numbers, addresses and even income data.
The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
The breach was kept secret until this week, when a number of Bulgarian news agencies received an email claiming responsibility for the massive breach.
The author of the email, who claims to be a Russian hacker, offered media outlets access to the stolen data but did reveal the motive for the attack. Describing the Bulgarian government as corrupt, the email said the breach had “compromised more than 110 databases”, including “critically confidential” information, Reuters reports.
Finance Minister Vladislav Goranov disputed the claims, insisting that the leaked information was not classified and did not endanger financial stability. Nevertheless, he apologised to the nation and stressed that anyone found trying to exploit the data “would fall under the impact of Bulgarian law”.
On Tuesday, Bulgarian authorities arrested a 20-year-old national on suspicion of involvement in the attack. He was identified by his lawyer as Kristiyan Boikov, an employee of US cybersecurity company TAD Group, which has office in the Bulgarian capital, Sofia.
Speaking at a government meeting on Wednesday, Prime Minister Boyko Borissov described Boikov as a “wizard”, The Guardian reports. The cybersecurity worker also made national news in 2017, after “exposing flaws in the Bulgarian education ministry’s website”, the newspaper adds.
Cybersecurity researcher Vesselin Bontchev, an assistant professor at Sofia’s Bulgarian Academy of Sciences, told Reuters it was “safe to say that the personal data of practically the whole Bulgarian adult population has been compromised” in the latest attack.
He noted that as “the first publicly known major data breach in Bulgaria”, the attack is likely to fuel debate over the country’s apparently lax cybersecurity infrastructure.
“The reason for the success of the attack does not seem to be the sophistication of the hacker, but rather poor security practices at the NRA,” said Bozhidar Bozhanov, chief executive at cybersecurity firm LogSentinel.
The Inquirer agrees that the breach “may have been down to vulnerabilities in the agency’s online tax filing system and generally poor cybersecurity practices”, and adds that such problems tend to be “a bit of a theme in governments who tend to end up with large and complex legacy systems”.
In cybersecurity terms, a legacy system can be defined as any system that is old enough to increase the vulnerability of the user to current technological threats. These systems may remain in place to avoid upgrade costs, because certain applications rely on the older version to function, or simply as a result of misplaced complacency.
The NRA is now facing a fine of up to €20m ($22.43m) over the hack under the European Union’s GDPR regulations, which came into effect in 2018. Under the new data protection law, the NRA could be fined up to 4% of its annual turnover.
And as Al Jazeera reports, this is no bluff. Earlier this month, British Airways was hit with a £183m fine - equivalent to 1.5% of the airline’s turnover - over a hack that led to the personal details of 500 million customers being compromised.
-
What to watch on TV this Februarythe week recommends An animated lawyers show, a post-apocalyptic family reunion and a revival of an early aughts comedy classic
-
Is the US in a hiring recession?Today's Big Question The economy is growing. Job openings are not.
-
How to juggle saving and paying off debtthe explainer Putting money aside while also considering what you owe to others can be a tricky balancing act
-
Epstein files topple law CEO, roil UK governmentSpeed Read Peter Mandelson, Britain’s former ambassador to the US, is caught up in the scandal
-
Iran and US prepare to meet after skirmishesSpeed Read The incident comes amid heightened tensions in the Middle East
-
Israel retrieves final hostage’s body from GazaSpeed Read The 24-year-old police officer was killed during the initial Hamas attack
-
China’s Xi targets top general in growing purgeSpeed Read Zhang Youxia is being investigated over ‘grave violations’ of the law
-
Panama and Canada are negotiating over a crucial copper mineIn the Spotlight Panama is set to make a final decision on the mine this summer
-
Why Greenland’s natural resources are nearly impossible to mineThe Explainer The country’s natural landscape makes the task extremely difficult
-
Iran cuts internet as protests escalateSpeed Reada Government buildings across the country have been set on fire
-
US nabs ‘shadow’ tanker claimed by RussiaSpeed Read The ship was one of two vessels seized by the US military
