Bulgarian officials confirmed on July 16 that a cyber attack on the National Revenue Agency gained access to the personal and financial data of millions of Bulgarians. The attack was first reported a day earlier, when several Bulgarian media said that they received emails with data allegedly lifted from the Bulgarian Finance Ministry’s servers.
Bulgaria’s National Revenue Agency said in a statement that its databases had been compromised by “unauthorised access to about three per cent of the information contained in the agency’s databases.”
The agency said that all its services were functioning normally, with the sole exception of the service to refund value-added tax paid abroad. A vulnerability in that system is believed to have been exploited in the cyber attack, the agency’s spokesperson Rossen Bachvarov said, as quoted by Bulgarian National Radio.
He said that the agency had checked a part of the stolen data, which was enough to confirm that it was authentic.
Finance Minister Vladislav Goranov described the leak as “highly unpleasant”, but sought to reassure that the stolen data was not enough to give the full picture of an individual’s financial state.
Goranov was one of several officials, including Interior Minister Mladen Marinov, who participated in the Government’s security council meeting on the cyber attack, called by Prime Minister Boiko Borissov.
Speaking to reporters after the security council meeting, he could not give an exact number of the people affected, but estimated that it was likely in the millions.
Marinov said that the investigation was still underway, but measures were already taken to minimise the damage. Other state institutions were checking their own computer systems for any recent unauthorised access, as ordered by Borissov, he said.
Earlier in the day, on the breakfast show of broadcaster bTV, Marinov appeared to suggest that the leak’s timing might have been linked to the Cabinet’s decision on July 15 to approve amendments to the 2019 Budget Act to pay $1.25 billion for eight US-made F-16 fighter jets. (The email sent to Bulgarian media was created on Russian email provider Yandex and the data was hosted on servers located in Russia.)
Goranov said he did not want to speculate on Marinov’s words about such a link, saying that the data leak was certain to have occurred long before it was made public. There did not appear to be conclusive evidence of a Russian connection, he said.
Goranov repeatedly said that investigators did not exclude the possibility of inside assistance for the cyber attack, but said that it was more likely that it was a fully external breach.
He said that the data breach would be communicated to the country’s personal data protection commission and European institutions well within the 72 hours mandated by the European Union’s general data protection regulation (GDPR) directive.
Meanwhile, private broadcaster Nova Televizia said that it received a reply to an inquiry the station made after receiving the initial email. The author, writing in English, claimed to be a Russian citizen married to a Bulgarian and claimed to have successfully gained access to the vulnerable system in 2012, but that attack went undetected.
The email’s author went on to say that Bulgaria’s law enforcement would “cover the real truth” and threatened to upload the full 21 gigabytes of compromised data if that was the case.
(Finance Minister Vladislav Goranov speaking to the media on July 16. Screengrab from Bulgarian National Television.)