A hacker in Bulgaria managed to access the nation’s tax database and was able to steal the contents of every working individual in the country before publishing the stolen data online.
In total, data of five-million - of Bulgaria’s 7 million population - were published online, including social security information, incomes, names and addresses.
The attack is believed to have happened last month, and “remained undetected until an email from a Russian email address was sent to Bulgarian news outlets last week claiming responsibility for the attack,” according to reports.
“In that email, the sender claimed to be a Russian hacker, gave downloadable links to the stolen information and mocked Bulgaria’s cyber security efforts.”
Boyko Borisov, Bulgaria’s prime minister said the hacker was a “wizard”, and that the country should begin hiring individuals of a similar skillset to work for the state, rather than against it.
The New York Times is reporting that Bulgarian officials are suggesting Russia may be responsible for the hack, as a form of retaliation for Bulgaria’s purchase of fighter jets from America.
Authorities are still in the infant stages of a wide-sprawling investigation, but have made moves to single out a perpetrator.
The Bulgarian tax agency stands to be fined up to 20-million euros for breaches of the GDPR legislation, that provides a mandate for organisations to provide adequate protections for private data, amongst a raft of new changes.
They arrested 20-year-old, Kristian Boykov, who was charged with committing a computer crime against critical infrastructure last week. He has since been released by authorities, after it was believed Boykov is what is known as a ‘white hat’ hacker, who works to find vulnerabilities in the network of an organisation, and addresses ways in which that organisation can fix these gaps, according to NPR.
Boykov and his lawyer maintain that he was not involved in the incident, while his charges have been downgraded from a computer charge against critical infrastructure, which carries a maximum sentence of eight years’ imprisonment, to the lesser charge of crime against information systems, which carries a three-year sentence.
A CNN report quoted Asen Genov, a blogger and political analyst who says that following the hack, “we should all be angry.”
“The information is now freely available to anyone. Many, many people in Bulgaria already have this file, and I believe that it’s not only in Bulgaria,” Genov said.
The report also mentions the fact that “government databases are gold mines for hackers. They contain a huge wealth of information that can be ‘useful’ for years to come.”
CNN interviewed Guy Bunker, an information security expert and chief technology officer at Clearswift who said that while “you can make [your password] longer and more sophisticated, the information the government holds are things that are not going to change.”
“Your date of birth is not going to change, you’re not going to move house tomorrow.”
Data like this is a treasure trove for cyber criminals looking to compromise you or your system as it gives them valuable and accurate data in which they can target you with spear-phishing campaigns, or educated guesses as to your banking passwords as they have an accurate portrait of you already painted.
“A lot of the information that was taken was valid yesterday, is valid today, and will probably be valid for a large number of people in five, 10, 20 years’ time,” he said.