Bulgaria’s prosecutor’s office said on July 25 that it pressed new charges against three people in its investigation into the data breach at the country’s National Revenue Agency, in which the personal data of more than four million people was stolen.
Kristian Boikov, whom prosecutors previously identified as the alleged perpetrator of the data breach, was charged with cyber-terrorism, in addition to the earlier charges of cyber crimes against computer systems that are part of critical infrastructure, which carries a possible sentence of five to eight years in prison. The cyber-terrorism charges carry a possible sentence of five to 15 years.
The two other people were charged with instigating the crime – although their names were not given, one was identified as the executive director at the cyber-security company were Boikov is employed and the other was the company’s owner, the prosecutor’s office statement said.
Prosecutors said that the evidence collected at the company showed that the tax agency was not the only subject of cyber-attacks allegedly conducted by the trio.
The data breach was reported on July 15 after several Bulgarian media were sent emails with data allegedly lifted from the Bulgarian Finance Ministry’s servers. A day later, officials confirmed that the data was genuine, but the tax agency has since said that only the data of 189 people was compromised to an extent that would make them more susceptible to “potential fraud.”
The agency also set up a page (in Bulgarian only) where taxpayers can check whether their personal data was leaked by entering their EGN identification number (or the equivalent number issued to third-country foreigners with long-term residence permits) and a phone number.
The agency has said that the page would allow only one check per ID number to prevent abuse and would tell users only whether their data was leaked, but not which information was included.
Also on July 25, Bulgaria’s National Assembly decided to set up an ad hoc parliamentary committee to investigate “all the facts and circumstances” regarding the data breach.
The 15-member committee, in which all parliamentary groups are equally represented, will have a three-month period to hold hearings and will need to produce a report on its investigation, which can include recommendations for future legislative and executive action.