Eastern European country Bulgaria has suffered the biggest data breach in its history that compromised personal and financial information of 5 million adult citizens out of its total population of 7 million people.
According to multiple sources in local Bulgarian media, an unknown hacker earlier this week emailed them download links to 11GB of stolen data which included taxpayer’s personal identifiable numbers, addresses, and financial data.
In a brief statement released Monday, the National Revenue Agency (NRA) of Bulgaria said the stolen data originates from the country’s tax reporting service.
The NRA also indicated that the Ministry of the Interior and the State Agency for National Security (SANS) have started taking an assessment of the potential vulnerability in NRA’s systems that attackers might have exploited to breach into its databases.
It appears that until now, the hacker, who claimed to be a Russian man, has only released 57 out of a total of 110 compromised databases, which is about 21GB in total.
In a follow-up announcement, the NRA said almost 20 days ago, the attacker unauthorizedly accessed about 3 percent of the information contained in their databases.
“Currently, e-services for citizens and businesses are functioning normally, with the exception of the VAT refund service paid abroad, as well as by the revenue office. Unregulated access to sensitive information is limited,” the NRA said.
As consequences of the incident, Bulgaria’s NRA tax agency is now facing a fine of up to 20 million euros ($22.43 million) or 4% of the agency’s annual turnover over the data breach, said Prof. Veselin Tselkov, a member of the Commission for Personal Data Protection.
What’s the noise about
The 11GB of information, containing 57 folders and 1044 files, was linked in an email coming from an anonymous hacker sent to the Bulgarian media.
As it turned out the data breach happened already in June.
The mail address was shut down around a day after the first mailing campaign, after which only three media received additional information from a different mail and from a person claiming to be a Russian citizen.
In a nutshell, what was said in those emails is that this is only half of the extracted information.
It contains the personal numbers of 4.66m alive and 1.38m dead citizens.
According to the financial minister Vladislav Goranov’s official statement, this is supposed to be only 3% of NRA’s databases.
According to a former cybercrime unit inspector, most of the exposed data is old, as this has been happening for years.
In his second mail, the “hacker” also claimed the data extraction has been happening in the past 11 years.
“Percentages and megabytes are an irrelevant piece of data here.
The right question is how many citizens are affected. And the number is ‘many’,” commented on Facebook Bozhidar Bozhanov, founder of Infosecurity startup Logsentinel, former counselor to the Ministry of Interior.
According to Veselin Tselkov, a board member at the Commission for Personal Data Protection, Bulgaria’s tax agency could now face a fine of up to €20m which equals 4% of its annual revenue.
The sensitive data could be used for blackmailing, firms and properties could be stolen more easily.
On a more positive note, journalistic and institutional investigation of corruption could also be enhanced by the new data.
These are however all speculations. In fact, the leaked data doesn’t contain any personal identification codes that are needed to enter a person’s account in the NRA system.
The red flag here, however, is how was the system hacked and it shows either dramatic vulnerability or great hacker talent in Bulgaria. As prime minister Boyko Borisov said, the arrested 20-years-old suspect should be a wizard hacker. Yet…
One Google search away?
What has basically happened, or at least the officially announced version is that the access to servers of the agency was established through one of its e-services, which is to refund VAT on foreign transactions (VATrefund).
It was announced that the breach was a result of a SQL (language used to communicate with a database – ed.n.) injection.
“Everyone with access to Google and basic literacy could hack this system.
Googling -SQL injection, will immediately give you information on the commands one needs to enter in the form instead of a name, ID number or other identification data, so you enter the databases,” explains simply Anton Gerunov from infosecurity startup Logsentinel.
According to him, there is enough data and information available to make such a breach easily possible.
Bulgarian Association of Cybersecurity has pointed out a few steps to maintain the level of security against hackers that might have helped to prevent such leaks.
Performing penetration tests, which shows the weak spots in the system and give the hackers access.
The traffic in the network of the state institution should be tracked by a dedicated system for management and monitoring.
In case the first two are somehow compromised, then software for computer forensics should be used.
Such software performs a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.
Who did it?
It’s still unclear. On Tuesday afternoon, the Bulgarian GDCOC (General Directorate Combating Organized Crime) arrested the 20-year old white hacker Kristian Boykov, suspecting he is involved in the attack. He was released on Thursday due to lack of evidence.
The investigators linked Boykov to one of the files that were sent to the media.
It contains a unique user name, the specific computer configuration and the time and date.
Boykov is reported to have led educational courses on cybersecurity for GDCOC.
Two years ago he broke into the database of the Ministry of Education and Science (MES).
After signaling the MES about the vulnerabilities, without getting a reply, he turned to a local tv show.
This is when TAD Group, a global cybersecurity company based in California, US with an office in Sofia offered him a job.
From 2017 Boykov is working in the company as a cybersecurity expert.
Suspected “White Hat” Hacker Arrested
Bulgarian police have also arrested a 20-year-old “white-hat hacker” as the main suspect for the NRA data breach after authorities raided his home and office in the capital Sofia and seized his computers containing encrypted data, according to a local media.
The arrested suspect, Christian Boykov, is a cybersecurity expert who has been training officers of the GCDPC for fighting organized cybercrime.
Boykov was in the news two years ago, when he found a vulnerability in the website of the Ministry of Education and Science (MES) and contacted “Lords of the Air,” a popular TV show to tell the story only after the ministry ignored his initial disclosure.
After that incident, Boikov was hired as an ethical hacker by the global cybersecurity company “TAD Group,” and at the moment of arrest, he was an employee of the company, where his job responsibility was to pentest the systems in the state agencies and private companies for potential vulnerabilities.
Since the investigation is still ongoing, at this moment, it’s not clear if he is behind the NRA data breach.
However, the Sofia City Prosecutor’s Office accused Boykov of unauthorized access to a computer system that is part of the critical infrastructure of the state.
His lawyers say there is no evidence against the boy, but if proven guilty, Boikov—who has no past criminal record—could face up to 8 years in prison.