How Bulgaria got hacked

The government of Bulgaria has revealed that a major data breach of servers at its national tax agency may have affected more than five million people - in a country with a total population of just 7.1 million.

Hackers are understood to have targeted Bulgaria’s National Revenue Agency (NRA) in an attack at the end of June that “may have continued for some time”, The New York Times reports.

According to tech new site The Next Web, the stolen information includes card details, Pin numbers, addresses and even income data.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

The breach was kept secret until this week, when a number of Bulgarian news agencies received an email claiming responsibility for the massive breach.

The author of the email, who claims to be a Russian hacker, offered media outlets access to the stolen data but did reveal the motive for the attack. Describing the Bulgarian government as corrupt, the email said the breach had “compromised more than 110 databases”, including “critically confidential” information, Reuters reports.

Finance Minister Vladislav Goranov disputed the claims, insisting that the leaked information was not classified and did not endanger financial stability. Nevertheless, he apologised to the nation and stressed that anyone found trying to exploit the data “would fall under the impact of Bulgarian law”.

On Tuesday, Bulgarian authorities arrested a 20-year-old national on suspicion of involvement in the attack. He was identified by his lawyer as Kristiyan Boikov, an employee of US cybersecurity company TAD Group, which has office in the Bulgarian capital, Sofia.

Speaking at a government meeting on Wednesday, Prime Minister Boyko Borissov described Boikov as a “wizard”, The Guardian reports. The cybersecurity worker also made national news in 2017, after “exposing flaws in the Bulgarian education ministry’s website”, the newspaper adds.

Cybersecurity researcher Vesselin Bontchev, an assistant professor at Sofia’s Bulgarian Academy of Sciences, told Reuters it was “safe to say that the personal data of practically the whole Bulgarian adult population has been compromised” in the latest attack.

He noted that as “the first publicly known major data breach in Bulgaria”, the attack is likely to fuel debate over the country’s apparently lax cybersecurity infrastructure.

“The reason for the success of the attack does not seem to be the sophistication of the hacker, but rather poor security practices at the NRA,” said Bozhidar Bozhanov, chief executive at cybersecurity firm LogSentinel.

The Inquirer agrees that the breach “may have been down to vulnerabilities in the agency’s online tax filing system and generally poor cybersecurity practices”, and adds that such problems tend to be “a bit of a theme in governments who tend to end up with large and complex legacy systems”.

In cybersecurity terms, a legacy system can be defined as any system that is old enough to increase the vulnerability of the user to current technological threats. These systems may remain in place to avoid upgrade costs, because certain applications rely on the older version to function, or simply as a result of misplaced complacency.

The NRA is now facing a fine of up to €20m ($22.43m) over the hack under the European Union’s GDPR regulations, which came into effect in 2018. Under the new data protection law, the NRA could be fined up to 4% of its annual turnover.

And as Al Jazeera reports, this is no bluff. Earlier this month, British Airways was hit with a £183m fine - equivalent to 1.5% of the airline’s turnover - over a hack that led to the personal details of 500 million customers being compromised.