2019 Bulgarian Revenue Agency hack

Last updated
2019 Bulgarian National Revenue Agency hack
Date15 July 2019 (revealed)
LocationFlag of Bulgaria.svg  Bulgaria

On 15 July 2019, a massive data breach of the National Revenue Agency (NRA) of Bulgaria was revealed. The hacker responsible for the breach sent an email to major Bulgarian media outlets, detailing the scope of the attack.

Contents

The leaked data amounted to 57 folders with .csv files detailing the names and national identification numbers of some 5 million Bulgarian citizens, as well as records on revenues, tax and social security payments, debts, online betting data and company activities dating back as early as 2007, and as recently as June 2019. [1] According to some researchers, nearly every adult in the country had their personal data compromised. [2]

Background

Successive Bulgarian governments have spent nearly two billion leva ($1.15 billion) on e-government projects since 2002, producing few results. The National Revenue Agency is one of only five entities that provide e-government services to citizens. [3] A 2018 government report indicated a very low level of cybersecurity at government entities, citing a lack of qualified IT employees in public agencies and noncompetitive salaries compared to the private sector. [4]

In 2017, personal data including addresses and names of 1.2 million Bulgarian children was openly accessible on a Ministry of Education website and the leak was not addressed until it was revealed by a report on investigative journalism website Bivol.bg. [5]

Serious doubts over government capacity to handle data continued in August 2018, when the Bulgarian Commercial Register, which contains the entire database of the Bulgarian economy, crashed. [6] A total hard disk drive failure caused by sloppy maintenance left 25 terabytes of company data inaccessible for more than two weeks, essentially halting business transactions. [7] [8] [9] Following the crash, the e-Government State Agency began an audit of software and hardware used by all government entities. [10] Later that year, a Cybersecurity Law came into effect, establishing a National Cybersecurity System along with several government positions related to cybercrime and accident prevention. [11]

A few days before the NRA hack was revealed, a white hat hacker reported serious vulnerabilities in the Bulgarian Commission for Personal Data Protection website; the hacker had "begged" the Commission to fix the issues for three years. The Commission did not take any action to protect the data, which included emails and phone numbers of more than 14,000 citizens. [12]

Attack

On 15 July, an anonymous hacker emailed Bulgarian media outlets with details of an attack carried out against "servers of the Ministry of Finance". [1] The leak revealed 11 gigabytes of data taken from National Revenue Agency databases. The 57 folders included .csv files, some with more than 1 million lines, containing full names, national identification numbers, revenue figures, personal debt information, health and pension payments, and a register of online gambling website users. The email also claimed that the entire volume of data amounted to 110 folders and 21 gigabytes. The message called the Bulgarian government "retarded", its computer security "parodic", and called for Julian Assange to be freed. [1]

On the following day, the NRA confirmed the authenticity of the data. According to the agency, its servers were accessed through a rarely used VAT refund service for deals abroad, and the breach had affected about 3% of their total database. [13]

The hacker deployed a SQL injection and randomly collected data from the servers. [14]

Aftermath

Arrest of Kristiyan Boykov

Kristiyan Boykov, a 20-year-old employee of a cybersecurity company, was arrested on 16 July by police in Sofia and charged with breach and theft of personal data. [15]

According to police, the released data also contained a lock file with information about the attacker's computer and username, which matched the one Boykov used in social media. The lock file, however, was dated before the supposed time of the attack. [14]

Boykov was released on 18 July, on the grounds that his attack had not affected critical NRA databases. [16] He denied carrying out the attack, stating that police had asked him "uncomfortable questions", used "slight intimidation", and attempted to extract a forced confession. [17] His lawyer announced that the evidence against Boykov is "non-existent", and that the accusation neither points to a specific time period or even a perpetrator. According to Boykov and his employers, a market competitor may have used the occasion to frame him and cause damage to their company. [14] [17]

Commission for Personal Data Protection hack attempt

On July 22, the Commission for Personal Data Protection announced that an unsuccessful cyber attack had been carried out against it. It remains unknown if the database was targeted, but the attacker had used the local Wi-Fi network and was apparently in the vicinity of the Commission's headquarters. [18]

Reactions

Government

Political groups

Industry

Bulgarian IT professionals launched an online petition demanding open source software infrastructure for government services. The petition also demanded clarity on the billions spent on e-government since 2002 without noticeable results. [19]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Equifax</span> American consumer credit reporting agency

Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. In addition to credit and demographic data and services to business, Equifax sells credit monitoring and fraud prevention services directly to consumers.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.

The Office of Personnel Management data breach was a 2015 data breach targeting Standard Form 86 (SF-86) U.S. government security clearance records retained by the United States Office of Personnel Management (OPM). One of the largest breaches of government data in U.S. history, the attack was carried out by an advanced persistent threat based in China, widely believed to be the Jiangsu State Security Department, a subsidiary of the Government of China's Ministry of State Security spy agency.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

<span class="mw-page-title-main">Phineas Fisher</span> Hacktivist

Phineas Fisher is an unidentified hacktivist and self-proclaimed anarchist revolutionary. Notable hacks include the surveillance company Gamma International, Hacking Team, the Sindicat De Mossos d'Esquadra and the ruling Turkish Justice and Development Party three of which were later made searchable by WikiLeaks.

<span class="mw-page-title-main">Democratic National Committee cyber attacks</span> 2015-16 data breaches by Russian hackers as part of US election interference

The Democratic National Committee cyber attacks took place in 2015 and 2016, in which two groups of Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as well as the U.S. government, determined that the cyberespionage was the work of Russian intelligence agencies.

ThreatConnect is a cyber-security firm based in Arlington, Virginia. They provide a Threat Intelligence Platform for companies to aggregate and act upon threat intelligence.

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

Bivol.bg, also known as Bivol, is an investigative media based in Bulgaria which is part of the Organized Crime and Corruption Reporting Project network and an official partner of WikiLeaks. Its team comprises Atanas Tchobanov, Dimitar Stoyanov and Assen Yordanov. Tchobanov is a member of the executive committee of the Organized Crime and Corruption Reporting Project.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

Vastaamo was a Finnish private psychotherapy service provider founded in 2008. On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients. The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

On April 20, 2021, it was reported that suspected Chinese-state backed hacker groups had breached multiple government agencies, defense companies and financial institutions in both the US and Europe after the hackers created and used a Zero-day exploit for Ivanti Pulse Connect Secure VPN devices. A Cybersecurity and Infrastructure Security Agency alert reported that the attacks using the exploited started in June 2020 or earlier. The attacks were believed to be the third major data breach against the U.S. in the previous year behind the 2020 United States federal government data breach and the 2021 Microsoft Exchange Server data breach.

In September 2022, Australian telecommunications company Optus suffered a data breach that affected up to 10 million current and former customers comprising a third of Australia's population. Information was illegally obtained, including names, dates of birth, home addresses, telephone numbers, email contacts, and numbers of passports and driving licences. Conflicting claims about how the breach happened were made; Optus presented it as a complicated attack on its systems while an Optus insider and the Australian Government said a human error caused a vulnerability in the company's API. A ransom notice asking for A$1,500,000 to stop the data from being sold online was issued. After a few hours, the data thieves deleted the ransom notice and apologised for their actions.

In June and July 2023, a major data breach occurred in a Bangladesh Government website, resulting in the unauthorized exposure and compromise of personal data belonging to more than 50 million Bangladeshi citizens.

References

  1. 1 2 3 "Personal data of millions of Bulgarian citizens leaked from NRA" (in Bulgarian). Kapital Daily. 15 July 2019. Retrieved 21 July 2019.
  2. "In systemic breach, hackers steal millions of Bulgarians' financial data". Reuters. 16 July 2019. Retrieved 22 July 2019.
  3. "About BGN 2 Billion have been Spent on the Absent Bulgarian E-government for 15 years". Novinite. 5 December 2017. Retrieved 22 July 2019.
  4. "Cybersecurity is tragic despite millions spent". Sega. 19 July 2019. Retrieved 22 July 2019.
  5. "EDUCATION MINISTRY'S NEW PLATFORM "OPEN AND SAFE SCHOOL" DISPLAYED PERSONAL DATA OF 1.2 MILLION BULGARIAN CHILDREN". Bivol.bg. 10 October 2017. Retrieved 22 July 2019.
  6. "The Commercial Register in Bulgaria Collapsed". SBS Australia. 24 August 2018. Retrieved 22 July 2019.
  7. "Crash of commercial register of Bulgaria blocks business deals". Bulgarian National Radio. 15 August 2018. Retrieved 22 July 2019.
  8. "Commercial Register Set to Resume Work in 16:00" (in Bulgarian). Dnevnik. 27 August 2018. Retrieved 22 July 2019.
  9. "The Trade Registry Now Down a Full Week". Mediapool. 18 August 2018. Retrieved 22 July 2019.
  10. "State Registry Copies Will be Kept in a Single Storage". Darik News. 15 August 2018. Retrieved 22 July 2019.
  11. "Parliament Adopts New Cybersecurity Law". Darik News. 31 October 2018. Retrieved 22 July 2019.
  12. "FOR 3 YEARS WHITE HAT 'BEGS' DATA PROTECTION WATCHDOG TO STOP LEAKS FROM ITS SITE". Bivol.bg. 12 July 2019. Retrieved 22 July 2019.
  13. "Personal data of millions of Bulgarian citizens leaked from NRA" (in Bulgarian). Kapital Daily. 15 July 2019. Retrieved 21 July 2019.
  14. 1 2 3 "The Country With the Most Open Data in the World" (in Bulgarian). Kapital Daily. 19 July 2019. Retrieved 21 July 2019.
  15. "What happens when a country's entire adult population is hacked?". MIT Technology Review. 17 July 2019. Retrieved 21 July 2019.[ permanent dead link ]
  16. "Suspect Arrested for NRA Hacker Attack Released from Detention". Novinite. 18 July 2019. Retrieved 21 July 2019.
  17. 1 2 "Kristiyan Boykov: I'm not the man who broke into NRA's system" (in Bulgarian). Dir.bg. 22 July 2019. Retrieved 22 July 2019.
  18. "Hacking attempt against the Personal Data Commission prevented" (in Bulgarian). Dir.bg. 22 July 2019. Retrieved 22 July 2019.
  19. "Programmers demand open code for software at Bulgarian institutions". Dir.bg. 27 July 2019. Retrieved 28 July 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.