2019 Bulgarian revenue agency hack

Last updated
2019 Bulgarian National Revenue Agency hack
Date15 July 2019 (revealed)
LocationFlag of Bulgaria.svg  Bulgaria

On 15 July 2019, a massive data breach of the National Revenue Agency (NRA) of Bulgaria was revealed. The hacker responsible for the breach sent an email to major Bulgarian media outlets, detailing the scope of the attack.

Contents

The leaked data amounted to 57 folders with .csv files detailing the names and national identification numbers of some 5 million Bulgarian citizens, as well as records on revenues, tax and social security payments, debts, online betting data and company activities dating back as early as 2007, and as recently as June 2019. [1] According to some researchers, nearly every adult in the country had their personal data compromised. [2]

Background

Successive Bulgarian governments have spent nearly two billion leva ($1.15 billion) on e-government projects since 2002, producing few results. The National Revenue Agency is one of only five entities that provide e-government services to citizens. [3] A 2018 government report indicated a very low level of cybersecurity at government entities, citing a lack of qualified IT employees in public agencies and noncompetitive salaries compared to the private sector. [4]

In 2017, personal data including addresses and names of 1.2 million Bulgarian children was openly accessible on a Ministry of Education website and the leak was not addressed until it was revealed by a report on investigative journalism website Bivol.bg. [5]

Serious doubts over government capacity to handle data continued in August 2018, when the Bulgarian Commercial Register, which contains the entire database of the Bulgarian economy, crashed. [6] A total hard disk drive failure caused by sloppy maintenance left 25 terabytes of company data inaccessible for more than two weeks, essentially halting business transactions. [7] [8] [9] Following the crash, the e-Government State Agency began an audit of software and hardware used by all government entities. [10] Later that year, a Cybersecurity Law came into effect, establishing a National Cybersecurity System along with several government positions related to cybercrime and accident prevention. [11]

A few days before the NRA hack was revealed, a white hat hacker reported serious vulnerabilities in the Bulgarian Commission for Personal Data Protection website; the hacker had "begged" the Commission to fix the issues for three years. The Commission did not take any action to protect the data, which included emails and phone numbers of more than 14,000 citizens. [12]

Attack

On 15 July, an anonymous hacker emailed Bulgarian media outlets with details of an attack carried out against "servers of the Ministry of Finance". [1] The leak revealed 11 gigabytes of data taken from National Revenue Agency databases. The 57 folders included .csv files, some with more than 1 million lines, containing full names, national identification numbers, revenue figures, personal debt information, health and pension payments, and a register of online gambling website users. The email also claimed that the entire volume of data amounted to 110 folders and 21 gigabytes. The message called the Bulgarian government "retarded", its computer security "parodic", and called for Julian Assange to be freed. [1]

On the following day, the NRA confirmed the authenticity of the data. According to the agency, its servers were accessed through a rarely used VAT refund service for deals abroad, and the breach had affected about 3% of their total database. [13]

The hacker deployed a SQL injection and randomly collected data from the servers. [14]

Aftermath

Arrest of Kristiyan Boykov

Kristiyan Boykov, a 20-year-old employee of a cybersecurity company, was arrested on 16 July by police in Sofia and charged with breach and theft of personal data. [15]

According to police, the released data also contained a lock file with information about the attacker's computer and username, which matched the one Boykov used in social media. The lock file, however, was dated before the supposed time of the attack. [14]

Boykov was released on 18 July, on the grounds that his attack had not affected critical NRA databases. [16] He denied carrying out the attack, stating that police had asked him "uncomfortable questions", used "slight intimidation", and attempted to extract a forced confession. [17] His lawyer announced that the evidence against Boykov is "non-existent", and that the accusation neither points to a specific time period or even a perpetrator. According to Boykov and his employers, a market competitor may have used the occasion to frame him and cause damage to their company. [14] [17]

Commission for Personal Data Protection hack attempt

On July 22, the Commission for Personal Data Protection announced that an unsuccessful cyber attack had been carried out against it. It remains unknown if the database was targeted, but the attacker had used the local Wi-Fi network and was apparently in the vicinity of the Commission's headquarters. [18]

Reactions

Government

Political groups

Industry

Bulgarian IT professionals launched an online petition demanding open source software infrastructure for government services. The petition also demanded clarity on the billions spent on e-government since 2002 without noticeable results. [19]

See also

Related Research Articles

Computer security The protection of computer systems from theft or damage

Computer security, cybersecurity or information technology security is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

Equifax Inc. is an American multinational consumer credit reporting agency and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. In addition to credit and demographic data and services to business, Equifax sells credit monitoring and fraud prevention services directly to consumers.

A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak, information leakage and also data spill. Incidents range from concerted attacks by black hats, or individuals who hack for some kind of personal gain, associated with organized crime, political activist or national governments to careless disposal of used computer equipment or data storage media and unhackable source.

FireEye is a publicly traded cybersecurity company headquartered in Milpitas, California. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks. FireEye was founded in 2004.

HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.

The Anthem medical data breach was a medical data breach of information held by Anthem Inc.

In June 2015, the United States Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting personnel records. Approximately 22.1 million records were affected, including records related to government employees, other people who had undergone background checks, and their friends and family. One of the largest breaches of government data in U.S. history, information that was obtained and exfiltrated in the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses. State-sponsored hackers working on behalf of the Chinese government carried out the attack.

On March 27, 2016, hackers under the banner, Anonymous Philippines hacked into the website of the Philippine Commission on Elections (COMELEC) and defaced it. The hackers left a message calling for tighter security measures on the vote counting machines (VCM) to be used during the 2016 Philippine general election on May 9. Within the day a separate group of hackers, LulzSec Pilipinas posted an online link to what it claims to be the entire database of COMELEC and updated the post to include three mirror link to the index of the database's downloadable files. The leaked files by LulzSec Pilipinas amounts to 340 gigabytes.

The Democratic National Committee cyber attacks took place in 2015 and 2016, in which Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as well as the U.S. government, determined that the cyberespionage was the work of Russian intelligence agencies.

The 2016 Democratic National Committee email leak is a collection of Democratic National Committee (DNC) emails stolen by one or more hackers operating under the pseudonym "Guccifer 2.0" who are alleged to be Russian intelligence agency hackers, according to indictments carried out by the Mueller investigation. These emails were subsequently leaked by DCLeaks in June and July 2016 and by WikiLeaks on July 22, 2016, just before the 2016 Democratic National Convention. This collection included 19,252 emails and 8,034 attachments from the DNC, the governing body of the United States' Democratic Party. The leak includes emails from seven key DNC staff members, and date from January 2015 to May 2016. On November 6, 2016, WikiLeaks released a second batch of DNC emails, adding 8,263 emails to its collection.

"Guccifer 2.0" is a persona which claimed to be the hacker(s) who gained unauthorized access to the Democratic National Committee (DNC) computer network and then leaked its documents to the media, the website WikiLeaks, and a conference event. Some of the documents "Guccifer 2.0" released to the media appear to be forgeries cobbled together from public information and previous hacks, which had been mixed with disinformation. According to indictments in February 2018, the persona is operated by Russian military intelligence agency GRU. On July 13, 2018, Special Counsel Robert Mueller indicted 12 GRU agents for allegedly perpetrating the cyberattacks.

The Internet service company Yahoo! was subject to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

ThreatConnect is a cyber-security firm based in Arlington, Virginia. They provide a Threat Intelligence Platform for companies to aggregate and act upon threat intelligence.

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans, along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

Bivol.bg, also known as Bivol, is an investigative media based in Bulgaria which is part of the Organized Crime and Corruption Reporting Project network and an official partner of WikiLeaks. Its team comprises Atanas Tchobanov, Dimitar Stoyanov and Assen Yordanov. Tchobanov is a member of the executive committee of the Organized Crime and Corruption Reporting Project.

Ivan Stoimenov Geshev is a Bulgarian jurist serving as Bulgaria's Chief Public Prosecutor since 26 November 2019.

Nulled Online forum board

Nulled is an online forum board with over 3.9 million members as of 2021, mostly used by cyber criminals to trade and purchase leaked or hacked information. In 2016 it became known as the target of a data breach which helped law enforcement to obtain information about possible "suspects", who were registered on Nulled.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

2020 United States federal government data breach US federal government data breach

In 2020, a major cyberattack by a group backed by a foreign government penetrated multiple parts of United States federal government, leading to a series of data breaches. The hacking group Cozy Bear (APT29), backed by the Russian intelligence agency SVR, was identified as the likely culprit. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches.

References

  1. 1 2 3 "Personal data of millions of Bulgarian citizens leaked from NRA" (in Bulgarian). Kapital Daily. 15 July 2019. Retrieved 21 July 2019.
  2. "In systemic breach, hackers steal millions of Bulgarians' financial data". Reuters. 16 July 2019. Retrieved 22 July 2019.
  3. "About BGN 2 Billion have been Spent on the Absent Bulgarian E-government for 15 years". Novinite. 5 December 2017. Retrieved 22 July 2019.
  4. "Cybersecurity is tragic despite millions spent". Sega. 19 July 2019. Retrieved 22 July 2019.
  5. "EDUCATION MINISTRY'S NEW PLATFORM "OPEN AND SAFE SCHOOL" DISPLAYED PERSONAL DATA OF 1.2 MILLION BULGARIAN CHILDREN". Bivol.bg. 10 October 2017. Retrieved 22 July 2019.
  6. "The Commercial Register in Bulgaria Collapsed". SBS Australia. 24 August 2018. Retrieved 22 July 2019.
  7. "Crash of commercial register of Bulgaria blocks business deals". Bulgarian National Radio. 15 August 2018. Retrieved 22 July 2019.
  8. "Commercial Register Set to Resume Work in 16:00" (in Bulgarian). Dnevnik. 27 August 2018. Retrieved 22 July 2019.
  9. "The Trade Registry Now Down a Full Week". Mediapool. 18 August 2018. Retrieved 22 July 2019.
  10. "State Registry Copies Will be Kept in a Single Storage". Darik News. 15 August 2018. Retrieved 22 July 2019.
  11. "Parliament Adopts New Cybersecurity Law". Darik News. 31 October 2018. Retrieved 22 July 2019.
  12. "FOR 3 YEARS WHITE HAT 'BEGS' DATA PROTECTION WATCHDOG TO STOP LEAKS FROM ITS SITE". Bivol.bg. 12 July 2019. Retrieved 22 July 2019.
  13. "Personal data of millions of Bulgarian citizens leaked from NRA" (in Bulgarian). Kapital Daily. 15 July 2019. Retrieved 21 July 2019.
  14. 1 2 3 "The Country With the Most Open Data in the World" (in Bulgarian). Kapital Daily. 19 July 2019. Retrieved 21 July 2019.
  15. "What happens when a country's entire adult population is hacked?". MIT Technology Review. 17 July 2019. Retrieved 21 July 2019.
  16. "Suspect Arrested for NRA Hacker Attack Released from Detention". Novinite. 18 July 2019. Retrieved 21 July 2019.
  17. 1 2 "Kristiyan Boykov: I'm not the man who broke into NRA's system" (in Bulgarian). Dir.bg. 22 July 2019. Retrieved 22 July 2019.
  18. "Hacking attempt against the Personal Data Commission prevented" (in Bulgarian). Dir.bg. 22 July 2019. Retrieved 22 July 2019.
  19. "Programmers demand open code for software at Bulgarian institutions". Dir.bg. 27 July 2019. Retrieved 28 July 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.