Bulgaria has suffered what it described as the largest data breach in its history.
The local media Capital received an email sent from a Russian Yandex email address, with links to download hacked data from the country's tax reporting service, the National Revenue Agency (NRA).
Hackers somehow managed to gain access to sensitive information of million of Bulgarians, which include personal identifiable numbers, addresses and income data. Bulgarian newspaper 24 Chasa said that it also received one emailed file containing more than a million personal identification numbers with income, social security and healthcare figures.
“There are more than 5 million Bulgarian and international citizens, as well as companies, affected in the breach," the hackers said.
To put that into perspective, Bulgaria has a population of 7 million.
In other words, data about nearly every adults in the country are exposed.
Summoned to parliament, Bulgaria’s Finance Minister Vladislav Goranov apologized "to all Bulgarian citizens who have been made vulnerable", after admitting the breach affected about 3% of the agency’s database.
According to NRA in a written statement on July 15th:
"Earlier today, local media were emailed a download link to the leaked data, which purportedly originated from the Bulgarian Ministry of Finance."
"Our investigation has found that about 3 percent of the data contained in the NRA databases has been accessed without authorization approximately 20 days ago,” the agency wrote on July 16. “The investigation continues in full swing."
The breach of NRA's servers happened at the end of June 2019, and it was said that the databases contained at least 21GB of data.
In the email, the author described that the government as corrupt, by describing Bulgaria’s cybersecurity readiness as a “parody.”
The author of the email also explained that the hackers had compromised more than 110 databases, which could be dated back to 2007, that also include "critically confidential" information from key administrations.
According to the Finance Minister, the millions of records exposed were not classified, meaning that they won't endanger financial stability, explaining that initial analysis of the information that had become public showed insufficient “substantive conclusions” about any citizen’s financial situation..
He further said that anyone who attempted to exploit the data “would fall under the impact of Bulgarian law".
On top of the local investigation, Bulgaria planned to seek help from the EU cybersecurity agency to audit its most sensitive systems.
Local media speculated about the motives for the hack, by focusing on highlighting NRA’s failure to introduce robust security protocols, rather than any attempt to root out corruption.