On 15 July, media and public institutions in Bulgaria found out, from a website based abroad, that there had been a hack attack against the database of the National Revenue Agency (NRA) without anyone knowing anything about it. On the following day, an anonymous male, presenting himself as Russian married to a Bulgarian wife, said for a TV station that he was behind the attack but an agency spokesperson denied it. A source at the General Directorate for Combating Organized Crime told the Bulgarian National Radio that an employee of a Bulgarian cybersecurity company had been detained for the hacker attack. 

The authorities are not disclosing any details under the pretext that the investigation is still at the beginning though their actions indicate they are very concerned about the state of cybersecurity in Bulgaria.

And with good reason:

In August 2018, the commercial register in Bulgaria came down. In 2015, slap in the middle of the local elections, the websites of the Interior Ministry, the Central Electoral Commission and several other institutions were hacked. These incidents may be different yet they raise one question – is the state providing sufficient protection to its institutions, registers and e-services? A question the state is asking itself too, if yesterday’s statement by Interior Minister Mladen Marinov is anything to go by. As he put it the latest attack against the NRA should be a red flag for all major administrative systems in the country. On his part, Finance Minister Vladislav Goranov said in parliament that the information in the NRA’s database was protected but apologized to the people affected by the hacking attack. In the words of the interior minister files have been hacked containing data about hundreds of thousands of Bulgarian citizens, their names, national identification numbers, as well as the names of Bulgarian companies with their unique identifiers. Prime Minister Boyko Borissov even convened the Council of Ministers’ Security Council over the hack attack. The Security Council makes operating decisions that are mandatory. 

That the powers-that-be are worried is evident from other steps the government has taken. Bulgaria asked for help from the European Commission and from the EU Agency for Cybersecurity. European Commissioner for Digital Economy and Society Mariya Gabriel has been made aware of the details of the incident. The government is expecting full cooperation, in the coming days, from the European Union Agency for Network and Information Security, based in Greece.

Reactions by experts have varied widely. One of them, who found his own name in the leaked personal data base, described the NRA hack as “IT Chernobyl”. Others tend to agree with the Finance Ministry that “the data leaked are not all that valuable”. From the very beginning of the disclosures, there have been some who have warned, and it looks like they were right, that “in 90 percent of hacker attacks such as this one there is an insider”. One expert commented for the Bulgarian National Radio that hacker attacks like this one are an everyday occurrence in the world, and though this is the first attack with such a far-reaching effect on personal data in Bulgaria, ultimately this is a “standard situation”.

But since 2015 we have been witnessing a great many “standard situations”, and some of the reactions show a tendency of looking for the roots of the hack attacks against Bulgarian institutions in places outside the country, usually Russia. None of these accusations, since 2015, have ever been corroborated, and as to the latest attack on the NRA, the agency’s spokesperson Rosen Bachvarov stated that the people who had instigated it were Bulgarian. However at this point there is no proof that this is so either. If the authorities adduce evidence to this effect, then the people affected will be able to sue concrete perpetrators instead of the state, as some have already threatened to do.