In a significant cybersecurity incident, Bulgaria has experienced the largest data breach in its history, affecting personal and financial information of approximately 5 million adults. This breach represents a substantial portion of the country’s total population of 7 million.
Reports indicate that the breach was executed by an unidentified hacker who, earlier this week, provided local media with download links to 11GB of sensitive stolen data. This data includes personal identifiable information such as taxpayer identification numbers, addresses, and financial records. The Bulgarian National Revenue Agency (NRA) confirmed in a statement that the compromised data was sourced from its tax reporting service.
In response to this incident, the NRA has commenced an evaluation process in collaboration with the Ministry of the Interior and the State Agency for National Security (SANS). They are working to identify potential vulnerabilities in the NRA’s systems that could have allowed attackers to infiltrate their databases. Thus far, the hacker, who claims to be based in Russia, has only made 57 out of an estimated 110 databases publicly accessible, amounting to around 21GB of data.
Around 20 days prior to the public disclosure, the NRA revealed unauthorized access to about 3 percent of information contained within its databases. Despite this breach, the agency assured that its e-services for citizens and businesses remained operational, with minimal restrictions on access to sensitive information.
As a result of the incident, the NRA faces potential penalties of up to €20 million (approximately $22.43 million), which could reach 4% of its annual turnover, according to a member of the Commission for Personal Data Protection.
In a related development, Bulgarian authorities have apprehended a 20-year-old “white-hat hacker,” identified as Christian Boykov, as the prime suspect in this breach. Authorities conducted a search of his residence and workplace in Sofia, confiscating computers that reportedly contained encrypted data. Boykov, a cybersecurity expert previously engaged in training law enforcement, was hired by the global cybersecurity firm “TAD Group” to conduct penetration testing for state agencies and private enterprises.
The ongoing investigation has not conclusively linked Boykov to the data breach. Nonetheless, he has been charged with unauthorized access to critical state infrastructure. His defense team asserts that there is no substantial evidence against him. If found guilty, Boykov, who has no prior criminal history, could face a sentence of up to eight years in prison.
This incident highlights critical concerns regarding the cybersecurity landscape in Bulgaria, and reflects broader implications for businesses operating within the framework of data protection regulations. Reference to the MITRE ATT&CK framework suggests the possibility of adversary tactics such as initial access, exploitation of vulnerabilities, and subsequent data exfiltration methods being employed in this breach. Business owners are encouraged to reassess their cybersecurity strategies to better safeguard against similar vulnerabilities in their systems.
