News & Analysis

Bulgarian police arrest suspect of huge tax data breach

cyber security

Bulgarian media revealed earlier this week that the country’s National Revenue Agency had experienced a mass security breach that took the names, addresses, declared incomes and social security information of more than five million citizens. 

The hacker anonymously emailed Bulgarian media with 57 folders containing 11 gigabytes of information, encouraging journalists to comb through. The email stated that this was only a part of the stolen data, warning that 110 folders with a total of 21 gigabytes had been taken in total. Bulgarian news site Capital reported that while much of the information is old, dating back to 2007, some data had been declared as recently as June this year. 

The email is reported to have stated: “Your government is backward. The state of your cybersecurity is a parody,” followed by a call to release Wikileaks founder Julian Assange. 

It was sent from a Russian address which has prompted some officials to point fingers at Russia. There has been tension between the two countries since Bulgaria announced earlier this month that it would buy American made F-16 fighter jets.

“To the best of my knowledge, this is the first publicly known major data breach in Bulgaria,” cybersecurity expert Dr Vesselin Bontchev told the New York Times. “It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised.”

Prime Minister Boyko Borissov called an emergency meeting of the nation’s security agencies to devise how best to respond to the situation. Mr Borissov later claimed that the hacker was a “wizard” and emphasised that the government should hire those of a similar technical calibre to work for the state, rather than against it. Finance Minister Vladislav Goranov apologised for the security breach and reminded citizens that the culprit “would fall under the impact of Bulgarian law.” 

The response of the public has been varied as some have called out the government on social media, mocking its poor security. Others have taken extra precautions amongst mounting fears of identity theft, while many are still grappling with the repercussions of what it means to have their data stolen. The National Revenue Agency could face a fine of up to 20 million euros for failing to protect citizens’ personal records. 

This attack raises questions surrounding the vulnerability of state cybersecurity networks and highlights the dangers of an increasingly digitalised world. Chief executive at the cybersecurity firm LogSentinel suggested that: “the reason for the success of the attack does not seem to be the sophistication of the hacker, but rather poor security practices at the Nation Revenue Agency.”

In June, Bulgaria, a NATO member, joined the Cooperative Cyber Defence Centre of Excellence which is designed to help bolster cybersecurity abilities in an age of increasing threats from cyber warfare. 

On July 17, the police arrested a 20 year-old suspect named by the media as Kristiyan Boikov. The head of the police’s cybersecurity unit, Yavor Kolev, revealed in a statement that evidence suggests Mr Boikov had worked “on both sides” having been engaged with criminal activity, and with the state. Mr Boikov’s lawyer, Georgi Stefanov claims that his client is innocent and had nothing to do with the breach, blaming poor police work and shoddy evidence. He claims that “Kristiyan is an expert in his field” and if he did hack the National Revenue Agency, the police would never have found evidence that implicated him. Instead, he suggests that a rival network gave the police Mr Boikov’s name as a scapegoat. 

This is not the first time that Mr Boikov had made national headlines in Bulgaria. In 2017 he came to public attention for exposing the cybersecurity flaws in the education ministry’s website claiming that this was all part of “fulfilling my civic duty”. He has also made multiple posts regarding hacking and cybersecurity-related news on social media. 

If convicted, Mr Boikov could face up to eight years in prison.