After a massive hack in Bulgaria, the prime minister called the attacker a “wizard,” but cybersecurity experts said the security was simply inadequate.
The hack: A 20-year-old man was arrested in Sofia, Bulgaria, on Tuesday afternoon and charged with an unprecedented hack of the country’s tax authority, ending with the theft of sensitive personal records from nearly every adult in Bulgaria, according to local reports. The suspect, whose name is Kristiyan Boykov, according to Bulgarian media, faces up to eight years in prison. Police say others may have been involved.
The country’s officials have spent the week revealing and apologizing for the pillaging of Bulgaria’s National Revenue Agency (NRA) in June, Reuters reported. Personal and financial data for millions of taxpayers was leaked by email to local journalists. The data leak includes names, addresses, income and earnings information, and personal identification numbers, totaling 21 gigabytes and extending back over a decade.
In the email, the hacker described the Bulgarian government as corrupt. (Indeed, Bulgaria ranks as the most corrupt country in Europe, according to Transparency International.)
The reaction: Prime Minister Boyko Borissov called Boykov a “wizard” and said the country should hire people like him. Security professionals in Bulgaria are disputing the compliment and say the vulnerability never should have been exposed.
“It was alleged in the press that internal sources say the attack was an SQL injection,” said Bozhidar Bozhanov, an executive at the Bulgarian security company LogSentinel. “SQL injections are easy to detect and somewhat easy to exploit. Protecting from SQLi should have been done on many levels. First, in the software requirements. Second, during acceptance tests. And third, during operation by regularly scanning publicly facing services for vulnerabilities. Apparently none of this has been done.”
The facts: There is a gap between the hacker’s claims and what the Bulgarian government says happened. The facts are still being determined.
The hacker claimed to have stolen data from over 5 million Bulgarians. The country’s entire population is around 7 million. Finance Minister Vladislav Goranov said 3% of the NRA’s databases were impacted. Although the number is in the millions, it’s not clear how many individuals Goranov believes are affected, but he said financial stability was not in danger.
Goranov apologized to Bulgarian citizens in front of the country’s parliament.
Vesselin Bontchev, a cybersecurity researcher and assistant professor at the Bulgarian Academy of Sciences, said the suspect left a mountain of digital traces that led to his arrest.
“I can’t say the hacker was a ‘wizard,’” Bozhanov said. “If he indeed got caught so quickly, it means he was sloppy rather than a mastermind.”
The consequences: The scope of this attack is vast, and the number of unanswered questions remains significant.
The email the hacker sent to journalists with the leaked data came from a Russian email address. No one is quite sure what that means yet, but given the tension between Russia and Europe, especially in cyberspace, it’s a detail that’s attracted immediate attention.
Closer to home, the Bulgarians are looking at their government and wondering what went so badly wrong.
“We have to note that NRA is one of the most technically advanced administrations in Bulgaria,” Bozhanov said. “This issue may or may not be representative of the entire stack of technologies and services inside, but the fact that so much data was breached hints that few operational-security best practices were followed.”
The big open questions include who was behind the attack, and whether it was an individual, a group, or even a nation-state. Criminals, activists, and governments use hacked data in entirely different ways that can spell distinct forms of trouble for the Bulgarians affected by this breach.
One thing is clear: a reckoning has arrived for Bulgaria’s cybersecurity. Whether the government recognizes it or not, outside hackers certainly will.