2019 Bulgarian Revenue Agency hack

On 15 July 2019, a massive data breach of the National Revenue Agency (NRA) of Bulgaria was revealed. The hacker responsible for the breach sent an email to major Bulgarian media outlets, detailing the scope of the attack.

The leaked data amounted to 57 folders with .csv files detailing the names and national identification numbers of some 5 million Bulgarian citizens, as well as records on revenues, tax and social security payments, debts, online betting data and company activities dating back as early as 2007, and as recently as June 2019. According to some researchers, nearly every adult in the country had their personal data compromised.

Background
Successive Bulgarian governments have spent nearly two billion leva ($1.15 billion) on e-government projects since 2002, producing few results. The National Revenue Agency is one of only five entities that provide e-government services to citizens. A 2018 government report indicated a very low level of cybersecurity at government entities, citing a lack of qualified IT employees in public agencies and noncompetitive salaries compared to the private sector.

In 2017, personal data including addresses and names of 1.2 million Bulgarian children was openly accessible on a Ministry of Education website and the leak was not addressed until it was revealed by a report on investigative journalism website Bivol.bg.

Serious doubts over government capacity to handle data continued in August 2018, when the Bulgarian Commercial Register, which contains the entire database of the Bulgarian economy, crashed. A total hard disk drive failure caused by sloppy maintenance left 25 terabytes of company data inaccessible for more than two weeks, essentially halting business transactions. Following the crash, the e-Government State Agency began an audit of software and hardware used by all government entities. Later that year, a Cybersecurity Law came into effect, establishing a National Cybersecurity System along with several government positions related to cybercrime and accident prevention.

A few days before the NRA hack was revealed, a white hat hacker reported serious vulnerabilities in the Bulgarian Commission for Personal Data Protection website; the hacker had "begged" the Commission to fix the issues for three years. The Commission did not take any action to protect the data, which included emails and phone numbers of more than 14,000 citizens.

Attack
On 15 July, an anonymous hacker emailed Bulgarian media outlets with details of an attack carried out against "servers of the Ministry of Finance". The leak revealed 11 gigabytes of data taken from National Revenue Agency databases. The 57 folders included .csv files, some with more than 1 million lines, containing full names, national identification numbers, revenue figures, personal debt information, health and pension payments, and a register of online gambling website users. The email also claimed that the entire volume of data amounted to 110 folders and 21 gigabytes. The message called the Bulgarian government "retarded", its computer security "parodic", and called for Julian Assange to be freed.

On the following day, the NRA confirmed the authenticity of the data. According to the agency, its servers were accessed through a rarely used VAT refund service for deals abroad, and the breach had affected about 3% of their total database.

The hacker deployed a SQL injection and randomly collected data from the servers.

Arrest of Kristiyan Boykov
Kristiyan Boykov, a 20-year-old employee of a cybersecurity company, was arrested on 16 July by police in Sofia and charged with breach and theft of personal data.

According to police, the released data also contained a lock file with information about the attacker's computer and username, which matched the one Boykov used in social media. The lock file, however, was dated before the supposed time of the attack.

Boykov was released on 18 July, on the grounds that his attack had not affected critical NRA databases. He denied carrying out the attack, stating that police had asked him "uncomfortable questions", used "slight intimidation", and attempted to extract a forced confession. His lawyer announced that the evidence against Boykov is "non-existent", and that the accusation neither points to a specific time period or even a perpetrator. According to Boykov and his employers, a market competitor may have used the occasion to frame him and cause damage to their company.

Commission for Personal Data Protection hack attempt
On July 22, the Commission for Personal Data Protection announced that an unsuccessful cyber attack had been carried out against it. It remains unknown if the database was targeted, but the attacker had used the local Wi-Fi network and was apparently in the vicinity of the Commission's headquarters.

Industry
Bulgarian IT professionals launched an online petition demanding open source software infrastructure for government services. The petition also demanded clarity on the billions spent on e-government since 2002 without noticeable results.