Cyber Incident Victim: Bulgaria National Revenue Agency
Date:
Jul 2019
Location:
Bulgaria
Summary
A cyberattack compromised the Bulgarian tax agency, exposing sensitive data of millions. The perpetrator exfiltrated 110 databases totaling 21 GB, initially sharing 57 databases (11 GB) with media outlets while threatening further releases. Breached information extended beyond tax records to include customs excise systems, health insurance details, and employment agency data. The hacker, communicating via a Russian email service, taunted authorities with a derogatory message about government cybersecurity and falsely claimed Russian ties along with over a decade of network access. Political repercussions emerged swiftly as opposition parties demanded the finance minister's resignation. This incident followed unrelated arrests of a local IT expert for exposing vulnerabilities in another government system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around July 15, 2019, a hacker compromised the systems of Bulgaria’s National Revenue Agency (NRA), a department within the Ministry of Finance, exfiltrating sensitive data belonging to millions of Bulgarian citizens. The attacker contacted multiple Bulgarian media outlets via a Yandex.ru email address, providing them with approximately 11 GB of data from 57 databases and claiming to have stolen a total of 110 databases representing nearly 21 GB of information. The hacker included a Bulgarian-translated variation of a Julian Assange quote mocking the government’s cybersecurity posture, stating, "Your government is stupid. Your cybersecurity is a parody." The NRA publicly acknowledged the incident on its website on July 15, confirming collaboration with the Ministry of the Interior and the State Agency for National Security (SANS) to investigate the breach. The Bulgarian Ministry of the Interior formally verified the attack hours after initial media reports emerged.
The compromised data extended beyond the NRA’s systems, incorporating information from other government agencies, including the Bulgarian Excise Centralized Information System (BECIS) managed by the customs agency, which stored excise tax records for imported goods. Local media also identified data allegedly originating from the National Health Insurance Fund (NZOK) and the Bulgarian Employment Agency (AZ), though specifics about the health-related data were not disclosed. The hacker claimed in an interview with a Bulgarian TV station to be a Russian citizen married to a Bulgarian woman and asserted unauthorized access to NRA networks for over 11 years, though authorities cautioned against accepting these statements as factual. Opposition party Democratic Bulgaria demanded the resignation of Finance Minister Vladislav Goranov within hours of the breach becoming public. The incident occurred approximately one month after Bulgarian authorities arrested a local IT expert for exposing vulnerabilities in a state-managed kindergarten web portal, though no connection between the two events was established.