The “nightmare scenario” for a data breach is a leak of a government’s trove of personal data; for example, the tax information of every citizen. Bulgaria just suffered a massive data breach that qualifies.
Five million of the country’s seven million citizens had their personal data exposed in a hack of the country’s national tax agency. The information leaked in the attack includes social security information and income in addition to full names, birthdates and addresses dating back as far as 2007. That’s not only everything an identity thief would want, but also enough data to comb through and isolate the most lucrative targets. The hacker released half of the database to reporters, and then posted the other half to several public forums.
Bulgaria’s Massive Data Breach
Bulgaria’s National Revenue Agency was breached sometime in June, but the exact attack window is still unclear. It appears that the agency was not aware of it until the attacker sent a taunting email to various news outlets on July 15, declaring that “The state of your cybersecurity is a parody”, a variation of a quote famously used by Julian Assange. The claims of responsibility came from a Russian Yandex email address, though one does not necessarily have to be in Russia to set one of those up.
Bulgarian police arrested a 20-year-old computer programmer and resident of the capital city of Sofia on July 17 in connection with the massive data breach. It is unclear if this person is the perpetrator, however, as some Bulgarian officials indicated they believed Russia might be behind the cyber attacks. Aside from a general preponderance of for-profit and nation-state hacking attempts coming from the country, the officials believed that this might be retaliation for the country’s recent agreement to buy F-16 fighter jets from the United States. Bulgaria backed out of that deal on July 23 over contract terms.
The breach was the biggest individual theft of data in the Balkan states, and triggered an emergency security meeting between the heads of the region’s security agencies. Bulgaria joined NATO in 2004 and has since been receiving cybersecurity development assistance from the organization’s Cooperative Cyber Defense Centre of Excellence program.
It is possible for Bulgaria to receive assistance from the European Union if a nation-state was involved in the massive data breach, including potential sanctions. However, there would need to be clear evidence of the attacker’s identity which is a rarity in these types of attacks. The Bulgarian resident arrested in connection with the attacks is a former “black hat” hacker by the name of Kristiyan Boikov, currently employed by a cybersecurity firm called the TAD Group. Boikov may have been rounded up as a “usual suspect” in this case, as he was involved in a 2017 incident in which he publicly exposed a vulnerability in the Bulgarian education ministry’s website.
A second email arrived from the alleged attacker after Boikov was taken into custody, suggesting that the Bulgarian government had the wrong man and would attempt to cover up the massive data breach. The man claiming responsibility has since given a remote interview to a Bulgarian TV station.
Cybersecurity researcher Vesselin Bontchev of the Bulgarian Academy of Sciences painted a grim picture of the scope of this massive data breach. “It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised,” he claimed in an interview with Reuters. In addition to the possibility of identity theft, Bulgarians will have to worry about this information being used to enhance scams. Scams that target the elderly for money transfers or transfers of property have been an ongoing issue in the country.
Finance minister Vladislav Goranov has apologised for the breach, but has yet to propose any concrete steps for the protection of citizens that had their personal information exposed.
As a member of the European Union, Bulgaria’s government agencies are subject to the terms and penalties of the General Data Protection Regulation (GDPR). In the case of a massive data breach such as this, there would normally be a potential fine of up to 20 million euros, or 4% of annual revenue. The amount of the fine is determined by the total count of people affected and records of personal data leaked.
While government agencies are just as subject to GDPR rules as anyone else, the actual consequences for them differ. Fines for GDPR violations are generally issued internally by each country’s Data Protection Authority (DPA), which has some leeway to set its own terms. Most countries have just firmed up their fining policies in early 2019.
There have been few cases to date across Europe in which a government agency has been found to be non-compliant; these have mostly been in the UK and have resulted in enforcement notices being handed out to the agencies in question to take corrective action rather than an immediate fine. None have involved a massive data breach of computer networks at this level.
To date, Bulgaria has generally been lenient about its GDPR fines. Warnings and reprimands have been the most common course of action in response to complaints about data breaches, and fines have rarely exceeded 5,000 euros when issued. The country has struggled with a perception of widespread government corruption for the past two decades, and has been cited as the most corrupt government in the European Union by NGO Transparency International. That impression would certainly not be helped if the agencies in question face no consequences for such a massive data breach.
Bulgaria is still investigating the stolen data internally as a national security issue, so it is still not clear exactly which agencies would be held responsible or what the corrective action would be.
A Unique Breach
There have certainly been much bigger breaches in the world in terms of overall record count, but this is the first massive data breach that has compromised a national government’s sensitive citizen information to this degree. It’s akin to hackers managing to abscond with the entirety of the U.S. Internal Revenue Service data, or that of the UK’s HM Revenue and Customs.