2019 Bulgarian Revenue Agency hack

Last updated
2019 Bulgarian National Revenue Agency hack
Date15 July 2019 (revealed)
LocationFlag of Bulgaria.svg  Bulgaria

On 15 July 2019, a massive data breach of the National Revenue Agency (NRA) of Bulgaria was revealed. The hacker responsible for the breach sent an email to major Bulgarian media outlets, detailing the scope of the attack.

Contents

The leaked data amounted to 57 folders with .csv files detailing the names and national identification numbers of some 5 million Bulgarian citizens, as well as records on revenues, tax and social security payments, debts, online betting data and company activities dating back as early as 2007, and as recently as June 2019. [1] According to some researchers, nearly every adult in the country had their personal data compromised. [2]

Background

Successive Bulgarian governments have spent nearly two billion leva ($1.15 billion) on e-government projects since 2002, producing few results. The National Revenue Agency is one of only five entities that provide e-government services to citizens. [3] A 2018 government report indicated a very low level of cybersecurity at government entities, citing a lack of qualified IT employees in public agencies and noncompetitive salaries compared to the private sector. [4]

In 2017, personal data including addresses and names of 1.2 million Bulgarian children was openly accessible on a Ministry of Education website and the leak was not addressed until it was revealed by a report on investigative journalism website Bivol.bg. [5]

Serious doubts over government capacity to handle data continued in August 2018, when the Bulgarian Commercial Register, which contains the entire database of the Bulgarian economy, crashed. [6] A total hard disk drive failure caused by sloppy maintenance left 25 terabytes of company data inaccessible for more than two weeks, essentially halting business transactions. [7] [8] [9] Following the crash, the e-Government State Agency began an audit of software and hardware used by all government entities. [10] Later that year, a Cybersecurity Law came into effect, establishing a National Cybersecurity System along with several government positions related to cybercrime and accident prevention. [11]

A few days before the NRA hack was revealed, a white hat hacker reported serious vulnerabilities in the Bulgarian Commission for Personal Data Protection website; the hacker had "begged" the Commission to fix the issues for three years. The Commission did not take any action to protect the data, which included emails and phone numbers of more than 14,000 citizens. [12]

Attack

On 15 July, an anonymous hacker emailed Bulgarian media outlets with details of an attack carried out against "servers of the Ministry of Finance". [1] The leak revealed 11 gigabytes of data taken from National Revenue Agency databases. The 57 folders included .csv files, some with more than 1 million lines, containing full names, national identification numbers, revenue figures, personal debt information, health and pension payments, and a register of online gambling website users. The email also claimed that the entire volume of data amounted to 110 folders and 21 gigabytes. The message called the Bulgarian government "retarded", its computer security "parodic", and called for Julian Assange to be freed. [1]

On the following day, the NRA confirmed the authenticity of the data. According to the agency, its servers were accessed through a rarely used VAT refund service for deals abroad, and the breach had affected about 3% of their total database. [13]

The hacker deployed a SQL injection and randomly collected data from the servers. [14]

Aftermath

Arrest of Kristiyan Boykov

Kristiyan Boykov, a 20-year-old employee of a cybersecurity company, was arrested on 16 July by police in Sofia and charged with breach and theft of personal data. [15]

According to police, the released data also contained a lock file with information about the attacker's computer and username, which matched the one Boykov used in social media. The lock file, however, was dated before the supposed time of the attack. [14]

Boykov was released on 18 July, on the grounds that his attack had not affected critical NRA databases. [16] He denied carrying out the attack, stating that police had asked him "uncomfortable questions", used "slight intimidation", and attempted to extract a forced confession. [17] His lawyer announced that the evidence against Boykov is "non-existent", and that the accusation neither points to a specific time period or even a perpetrator. According to Boykov and his employers, a market competitor may have used the occasion to frame him and cause damage to their company. [14] [17]

Commission for Personal Data Protection hack attempt

On July 22, the Commission for Personal Data Protection announced that an unsuccessful cyber attack had been carried out against it. It remains unknown if the database was targeted, but the attacker had used the local Wi-Fi network and was apparently in the vicinity of the Commission's headquarters. [18]

Reactions

Government

Political groups

Industry

Bulgarian IT professionals launched an online petition demanding open source software infrastructure for government services. The petition also demanded clarity on the billions spent on e-government since 2002 without noticeable results. [19]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

<span class="mw-page-title-main">Equifax</span> American consumer credit reporting agency

Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. In addition to credit and demographic data and services to business, Equifax sells credit monitoring and fraud prevention services directly to consumers.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

The Office of Personnel Management data breach was a 2015 data breach targeting Standard Form 86 (SF-86) U.S. government security clearance records retained by the United States Office of Personnel Management (OPM). One of the largest breaches of government data in U.S. history, the attack was carried out by an advanced persistent threat based in China, widely believed to be the Jiangsu State Security Department, a subsidiary of the Government of China's Ministry of State Security spy agency.

<span class="mw-page-title-main">Phineas Fisher</span> Hacktivist

Phineas Fisher is an unidentified hacktivist and self-proclaimed anarchist revolutionary. Notable hacks include the surveillance company Gamma International, Hacking Team, the Sindicat De Mossos d'Esquadra and the ruling Turkish Justice and Development Party, three of which were later made searchable by WikiLeaks.

The Democratic National Committee cyber attacks took place in 2015 and 2016, in which two groups of Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as well as the U.S. government, determined that the cyberespionage was the work of Russian intelligence agencies.

ThreatConnect is a cyber-security firm based in Arlington, Virginia. They provide a Threat Intelligence Platform for companies to aggregate and act upon threat intelligence.

Between May and July 2017, American credit bureau Equifax was breached. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. Equifax discovered the breach end of July, but did not disclose it to the public until September 2017. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

Bivol.bg, also known as Bivol, is an investigative media based in Bulgaria which is part of the Organized Crime and Corruption Reporting Project network and an official partner of WikiLeaks.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

Vastaamo was a Finnish private psychotherapy service provider founded in 2008. On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients. The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

On April 20, 2021, it was reported that suspected Chinese-state backed hacker groups had breached multiple government agencies, defense companies and financial institutions in both the US and Europe after the hackers created and used a Zero-day exploit for Ivanti Pulse Connect Secure VPN devices. A Cybersecurity and Infrastructure Security Agency alert reported that the attacks using the exploited started in June 2020 or earlier. The attacks were believed to be the third major data breach against the U.S. in the previous year behind the 2020 United States federal government data breach and the 2021 Microsoft Exchange Server data breach.

In September 2022, Australian telecommunications company Optus suffered a data breach that affected up to 10 million current and former customers comprising a third of Australia's population. Information was illegally obtained, including names, dates of birth, home addresses, telephone numbers, email contacts, and numbers of passports and driving licences. Conflicting claims about how the breach happened were made; Optus presented it as a complicated attack on its systems while an Optus insider and the Australian Government said a human error caused a vulnerability in the company's API. A ransom notice asking for A$1,500,000 to stop the data from being sold online was issued. After a few hours, the data thieves deleted the ransom notice and apologised for their actions.

References

  1. 1 2 3 "Personal data of millions of Bulgarian citizens leaked from NRA" (in Bulgarian). Kapital Daily. 15 July 2019. Retrieved 21 July 2019.
  2. "In systemic breach, hackers steal millions of Bulgarians' financial data". Reuters. 16 July 2019. Retrieved 22 July 2019.
  3. "About BGN 2 Billion have been Spent on the Absent Bulgarian E-government for 15 years". Novinite. 5 December 2017. Retrieved 22 July 2019.
  4. "Cybersecurity is tragic despite millions spent". Sega. 19 July 2019. Retrieved 22 July 2019.
  5. "EDUCATION MINISTRY'S NEW PLATFORM "OPEN AND SAFE SCHOOL" DISPLAYED PERSONAL DATA OF 1.2 MILLION BULGARIAN CHILDREN". Bivol.bg. 10 October 2017. Retrieved 22 July 2019.
  6. "The Commercial Register in Bulgaria Collapsed". SBS Australia. 24 August 2018. Retrieved 22 July 2019.
  7. "Crash of commercial register of Bulgaria blocks business deals". Bulgarian National Radio. 15 August 2018. Retrieved 22 July 2019.
  8. "Commercial Register Set to Resume Work in 16:00" (in Bulgarian). Dnevnik. 27 August 2018. Retrieved 22 July 2019.
  9. "The Trade Registry Now Down a Full Week". Mediapool. 18 August 2018. Retrieved 22 July 2019.
  10. "State Registry Copies Will be Kept in a Single Storage". Darik News. 15 August 2018. Retrieved 22 July 2019.
  11. "Parliament Adopts New Cybersecurity Law". Darik News. 31 October 2018. Retrieved 22 July 2019.
  12. "FOR 3 YEARS WHITE HAT 'BEGS' DATA PROTECTION WATCHDOG TO STOP LEAKS FROM ITS SITE". Bivol.bg. 12 July 2019. Retrieved 22 July 2019.
  13. "Personal data of millions of Bulgarian citizens leaked from NRA" (in Bulgarian). Kapital Daily. 15 July 2019. Retrieved 21 July 2019.
  14. 1 2 3 "The Country With the Most Open Data in the World" (in Bulgarian). Kapital Daily. 19 July 2019. Retrieved 21 July 2019.
  15. "What happens when a country's entire adult population is hacked?". MIT Technology Review. 17 July 2019. Retrieved 21 July 2019.[ permanent dead link ]
  16. "Suspect Arrested for NRA Hacker Attack Released from Detention". Novinite. 18 July 2019. Retrieved 21 July 2019.
  17. 1 2 "Kristiyan Boykov: I'm not the man who broke into NRA's system" (in Bulgarian). Dir.bg. 22 July 2019. Retrieved 22 July 2019.
  18. "Hacking attempt against the Personal Data Commission prevented" (in Bulgarian). Dir.bg. 22 July 2019. Retrieved 22 July 2019.
  19. "Programmers demand open code for software at Bulgarian institutions". Dir.bg. 27 July 2019. Retrieved 28 July 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.