2019 Bulgarian revenue agency hack

From Wikipedia, the free encyclopedia
2019 Bulgarian National Revenue Agency hack
Date15 July 2019 (revealed)
Location Bulgaria

On 15 July 2019, a massive data breach of the National Revenue Agency (NRA) of Bulgaria was revealed. The hacker responsible for the breach sent an email to major Bulgarian media outlets, detailing the scope of the attack.

The leaked data amounted to 57 folders with .csv files detailing the names and national identification numbers of some 5 million Bulgarian citizens, as well as records on revenues, tax and social security payments, debts, online betting data and company activities dating back as early as 2007, and as recently as June 2019.[1] According to some researchers, nearly every adult in the country had their personal data compromised.[2]


Successive Bulgarian governments have spent nearly two billion leva ($1.15 billion) on e-government projects since 2002, producing few results. The National Revenue Agency is one of only five entities that provide e-government services to citizens.[3] A 2018 government report indicated a very low level of cybersecurity at government entities, citing a lack of qualified IT employees in public agencies and noncompetitive salaries compared to the private sector.[4]

In 2017, personal data including addresses and names of 1.2 million Bulgarian children was openly accessible on a Ministry of Education website and the leak was not addressed until it was revealed by a report on investigative journalism website Bivol.bg.[5]

Serious doubts over government capacity to handle data continued in August 2018, when the Bulgarian Commercial Register, which contains the entire database of the Bulgarian economy, crashed.[6] A total hard disk drive failure caused by sloppy maintenance left 25 terabytes of company data inaccessible for more than two weeks, essentially halting business transactions.[7][8][9] Following the crash, the e-Government State Agency began an audit of software and hardware used by all government entities.[10] Later that year, a Cybersecurity Law came into effect, establishing a National Cybersecurity System along with several government positions related to cybercrime and accident prevention.[11]

A few days before the NRA hack was revealed, a white hat hacker reported serious vulnerabilities in the Bulgarian Commission for Personal Data Protection website; the hacker had "begged" the Commission to fix the issues for three years. The Commission did not take any action to protect the data, which included emails and phone numbers of more than 14,000 citizens.[12]


On 15 July, an anonymous hacker emailed Bulgarian media outlets with details of an attack carried out against "servers of the Ministry of Finance".[1] The leak revealed 11 gigabytes of data taken from National Revenue Agency databases. The 57 folders included .csv files, some with more than 1 million lines, containing full names, national identification numbers, revenue figures, personal debt information, health and pension payments, and a register of online gambling website users. The email also claimed that the entire volume of data amounted to 110 folders and 21 gigabytes. The message called the Bulgarian government "retarded", its computer security "parodic", and called for Julian Assange to be freed.[1]

On the following day, the NRA confirmed the authenticity of the data. According to the agency, its servers were accessed through a rarely used VAT refund service for deals abroad, and the breach had affected about 3% of their total database.[13]

The hacker deployed a SQL injection and randomly collected data from the servers.[14]


Arrest of Kristiyan Boykov[edit]

Kristiyan Boykov, a 20-year-old employee of a cybersecurity company, was arrested on 16 July by police in Sofia and charged with breach and theft of personal data.[15]

According to police, the released data also contained a lock file with information about the attacker's computer and username, which matched the one Boykov used in social media. The lock file, however, was dated before the supposed time of the attack.[14]

Boykov was released on 18 July, on the grounds that his attack had not affected critical NRA databases.[16] He denied carrying out the attack, stating that police had asked him "uncomfortable questions", used "slight intimidation", and attempted to extract a forced confession.[17] His lawyer announced that the evidence against Boykov is "non-existent", and that the accusation neither points to a specific time period or even a perpetrator. According to Boykov and his employers, a market competitor may have used the occasion to frame him and cause damage to their company.[14][17]

Commission for Personal Data Protection hack attempt[edit]

On July 22, the Commission for Personal Data Protection announced that an unsuccessful cyber attack had been carried out against it. It remains unknown if the database was targeted, but the attacker had used the local Wi-Fi network and was apparently in the vicinity of the Commission's headquarters.[18]



Political groups[edit]


Bulgarian IT professionals launched an online petition demanding open source software infrastructure for government services. The petition also demanded clarity on the billions spent on e-government since 2002 without noticeable results.[19]

See also[edit]


  1. ^ a b c "Personal data of millions of Bulgarian citizens leaked from NRA" (in Bulgarian). Kapital Daily. 15 July 2019. Retrieved 21 July 2019.
  2. ^ "In systemic breach, hackers steal millions of Bulgarians' financial data". Reuters. 16 July 2019. Retrieved 22 July 2019.
  3. ^ "About BGN 2 Billion have been Spent on the Absent Bulgarian E-government for 15 years". Novinite. 5 December 2017. Retrieved 22 July 2019.
  4. ^ "Cybersecurity is tragic despite millions spent". Sega. 19 July 2019. Retrieved 22 July 2019.
  6. ^ "The Commercial Register in Bulgaria Collapsed". SBS Australia. 24 August 2018. Retrieved 22 July 2019.
  7. ^ "Crash of commercial register of Bulgaria blocks business deals". Bulgarian National Radio. 15 August 2018. Retrieved 22 July 2019.
  8. ^ "Commercial Register Set to Resume Work in 16:00" (in Bulgarian). Dnevnik. 27 August 2018. Retrieved 22 July 2019.
  9. ^ "The Trade Registry Now Down a Full Week". Mediapool. 18 August 2018. Retrieved 22 July 2019.
  10. ^ "State Registry Copies Will be Kept in a Single Storage". Darik News. 15 August 2018. Retrieved 22 July 2019.
  11. ^ "Parliament Adopts New Cybersecurity Law". Darik News. 31 October 2018. Retrieved 22 July 2019.
  12. ^ "FOR 3 YEARS WHITE HAT 'BEGS' DATA PROTECTION WATCHDOG TO STOP LEAKS FROM ITS SITE". Bivol.bg. 12 July 2019. Retrieved 22 July 2019.
  13. ^ "Personal data of millions of Bulgarian citizens leaked from NRA" (in Bulgarian). Kapital Daily. 15 July 2019. Retrieved 21 July 2019.
  14. ^ a b c "The Country With the Most Open Data in the World" (in Bulgarian). Kapital Daily. 19 July 2019. Retrieved 21 July 2019.
  15. ^ "What happens when a country's entire adult population is hacked?". MIT Technology Review. 17 July 2019. Retrieved 21 July 2019.[permanent dead link]
  16. ^ "Suspect Arrested for NRA Hacker Attack Released from Detention". Novinite. 18 July 2019. Retrieved 21 July 2019.
  17. ^ a b "Kristiyan Boykov: I'm not the man who broke into NRA's system" (in Bulgarian). Dir.bg. 22 July 2019. Retrieved 22 July 2019.
  18. ^ "Hacking attempt against the Personal Data Commission prevented" (in Bulgarian). Dir.bg. 22 July 2019. Retrieved 22 July 2019.
  19. ^ "Programmers demand open code for software at Bulgarian institutions". Dir.bg. 27 July 2019. Retrieved 28 July 2019.