Bulgaria’s Commission for Personal Data Protection will impose a fine of 5.1 million leva (about 2.6 million euro) on the National Revenue Agency for the breach that resulted in the personal data of about 4.1 million taxpayers being stolen.
The watchdog’s chairperson Ventsislav Karadjov told public broadcaster Bulgarian National Television that in deciding the size of the fine, the commission took into account the “responsible actions” of the tax agency to report the breach and contact the people affected by it.
The maximum amount stipulated by law is 20 million euro.
Karadjov said that the tax agency should have done better to prevent the cyber attack, but downplayed fears that the personal data could be used for identity fraud.
He said that the fine was final in that there would be no further sanctions against the revenue agency, but was subject to judicial appeal.
The tax agency said that it would appeal the fine, arguing that the “unauthorized access, the data extraction and subsequent public disclosure are the result of criminal actions, carried out independent and despite of the technical and organisational measures undertaken by the National Revenue Agency to protect the data.”
(Ventsislav Karadjov screengrab from Bulgarian National Television.)