Incident Of The Week: 4 Million Bulgarian Citizens Affected By Tax Agency Data Breach

Legacy Systems And Lack of Preventative Measures Considered Contributing Factors

Jeff Orr

Incident Of The Week: Bulgaria Tax Agency Data Breach

More than 4 million of Bulgaria’s 7 million citizens were affected by a security breach in June 2019, which compromised personally-identifiable information and financial records lifted from the country’s tax agency. An estimated 200 citizens had names, addresses, personal identification numbers, and ID card details shared with media outlets.

The incident was detected when someone posing as a Russian hacker approached Bulgarian media with the National Revenue Agency data. In the aftermath of the incident, banks and credit lenders were put on alert for potential loan and property transaction fraud.

Prosecutors believe a cyber security worker at Tad Group led the June attack on the country’s tax agency, though some believe the suspect was likely aided by others. Cyber security employees are often tasked with testing potential vulnerabilities of their organization’s networks and these skills could be utilized to implement similar testing against businesses and government organizations.

Legacy systems and a lack of preventative measures by the Bulgarian government are suspected as vulnerabilities leading to the citizen records database becoming exposed.

See Related: Patching And The Basics

Bulgaria is a member of the European Union (EU), which recently implemented a data protection law to fine companies for data mismanagement. When the dust settles and evidence is collected, Bulgaria’s tax agency could face fines of up to $22.5 million over the breach.

Coincidentally, data from the EU’s EUROFISC anti-fraud network was also included in the stolen data shared with media organizations. The network shares data with EU member countries to identify patterns related to Value-Added Tax (VAT) fraud.

The cost of a data breach to an organization, in terms of response and recovery, has varying estimates. Some surveys suggest the figure can be upwards of 5% of company revenues. However, the measuring stick for government and public sector agencies differs greatly from commercial entities. Qualitative characteristics, such as trust, weigh higher in the minds of public sector constituents.

Bulgaria recently joined NATO’s Cooperative Cyber Defence Centre of Excellence, which serves as a hub for cyber defense research, training, and exercises. Governments, which have not historically adopted technology at the same rate as businesses, can quickly find themselves playing catch-up. Increasingly, organizations have been formed to fill the void for education and best practices in hopes of mitigating cyber security risks.

See Related: Preparing For Battle: Building An Incident Response Plan

Not all government officials have expressed the same level of concern about cyber defenses of agency systems. Noting that ethical hackers contribute to the in-demand cyber security workforce, Bulgaria’s Prime Minister Boyko Borisov said that the country should hire similar people to work for the state.

Key Takeaways From These Cautionary Tales Of Cyber Security Incidents:

  • Patch or remove outdated systems
  • In addition to threat response mechanisms, implement preventative cyber security measures
  • Assess security practices when considering data sharing with partners, suppliers, and service providers
  • Cyber security awareness and education never ceases. Consider joining communities of a similar industry sector or geographic proximity to share best practices and learn about new threats
  • Governments are imposing fiscal penalties for organizations (both public and private sector) that mismanage data