The National Revenue Agency (NRA) faces a hefty fine for a massive leak of personal data after its information system was hacked on July 15.
Article continues below
This transpired in a Nova TV interview with the head of the Personal Data Protection Agency (PDPA), Ventsislav Karadjov, on Sunday.
"There will surely be sanctions, not insignificant ones," he said.
A PDPA audit at the Revenue Agency starts July 22 and is due to be over within a month.
"Businesses and public organization should wake up.
[...] Between 2006 and 2019 very little was done to protect the information that is being handled.
Especially by the public bodies.
By law, they are required to protect the data they use.
We had to experience this brutal theft to become aware that efforts need to be made to protect personal data," Karadjov commented.
He is adamant that the tests run on the NRA system security, if any, were insufficient.
Neither has NRA followed the regulator's recommendations, he added.
Karadjov believes the worst problem with this data breach is that it affects almost all Bulgarians.
He explained that it is not possible to use the stolen data to take out loans or perform bank transactions, if the institutions involved follow the rules.
A 20-year-old employee of a Sofia-based cybersecurity company was arrested for the NRA data breach but was released on July 18 - after NRA apparently told the investigators that the hacked information system was not considered critical infrastructure.
The suspect, Kristian Boykov, denies any involvement and his employer suspects that he has been framed by rivals in order to harm ongoing projects of his company.
He, however, remains a suspect.
Deputy Prime Minister Tomislav Donchev said in a TV interview that the data breach aimed to destabilize the government, if perpetrated domestically, or to destabilize the nation, if perpetrated internationally.
NRA spokesperson Rossen Buchvarov said in a Bulgarian National Radio interview Sunday the vulnerability of the NRA systems is currently being tested and some electronic services might be suspended, if necessary.
Some services have been upgraded, he added.
"This is not a catastrophe but neither is it an insignificant setback.
We are focused on two things.
The first is to assess and identify any other vulnerabilities in the NRA information system and deal with them immediately.
The second is to provide as much useful information for people," said the NRA spokesperson.
He went on to say that the main NRA functionalities run glitch-free.
"We have no reason to believe that any vulnerabilities continue to be exploited.
The electronic services are operable and all NRA entry and exit points look secure.
We have identified risks with respect to some peripheral services but no data leak."
He said that the data breach has shown the vulnerability of the NRA information system and people will have to take responsibility for that "but the immediate task of the Agency is to tell people, A, if their personal data have been affected, B, what those data are, and C, what they can do to minimize the damage".
Buchvarov said that NRA is shortly launching a platform where people can check whether their personal data have been affected.
He explained that some 3 per cent of the NRA database has been affected, including the names and personal identity numbers of more than 4 million living and more than 1 million dead Bulgarians.
The information is partial and cannot be used for exhaustive profiling of any of those people.
"Which does not mean that those partial data are not sensitive," said Buchvarov. ■