By Georgi Gotev
Hackers have stolen millions of taxpayers’ financial data from the National Tax Agency (NAP) in an attack that aid may have compromised nearly every adult’s personal records.
The breach of servers at the tax agency happened at the end of June and became known ten days ago. Ever since, the presumed hacker was identified as a young professional working in a Sofia IT company, but conspiracy theories keep circulating about the possible sponsors of such an attack.
Last August the Bulgarian Trade registrar suffered technical problems and went offline for almost three weeks, creating a huge chaos for the Bulgarian business community. The issue appears to be a failure of the four hard disks of the system, and not a hacker attack.
Moreover, Bulgarian Prime Minister Boyko Borissov has deplored “terrible” Russian cyberattacks during the Bulgarian Presidency of the Council of the EU (first half of 2018), and described a situation in which he asked his staff to unplug computers from the sockets.
One of the effects of these developments is that Bulgarian public opinion is now lass favourable to projects such as the electronic government or machine voting.
MEP Ivo Hristov (S&D) raised the issue on Tuesday at meetings of the Committee on Industry, Research and Energy (ITRE) of the European Parliament.
Hristov asked Finnish minister of economic affairs Katri Kulmuni, and Sanna Marin, minister of transport and communications, who presented the Finnish presidency priorities in the ITRE committee, what the EU could do to help, and what was possible to be done under recently adopted EU legislation.
Under new EU rules adopted on 17 May, individuals and groups conducting cyber-attacks from outside the bloc may be hit with potential sanctions, including travel bans and asset freezes.
The answers were rather evasive. He also asked the Commission Director for cybersecurity Despina Spanou if the Bulgarian authorities had asked for help. Spanou said that Bulgaria’s Commissioner Mariya Gabriel, who is in charge of the digital portfolio, has informed the competent authorities, and such an exchange of information could prevent similar cases in other member states. Spanou also qualified the theft of financial data from NAP as “a very serious breach in data protection”.
Under the General Data Protection Regulation (GDPR), the national regulator is supposed to look into the breach and possibly to impose a fine, which could be quite significant.
Ivan Geshev, who is on his way to become the next Prosecutor General of Bulgaria (he is now the deputy of the incumbent Sotir Tsatsarov), has described the hacker attack as an attempt to destabilise the country, and the company in which the alleged hacker works (TAD Group) as “a factory for cyber-racket”, in his words attacking the databases of commercial or state entities with the aim of enrolling them as clients.
He also claimed that a file found in the hacker’s computer named “search for bivol” was linked to searches by the hacker on personal data of MEP Emil Radev. Bivol.bg is an investigative website and the mention seems to be an attempt to discredit them.
Commentators have said that Geshev is exceeding his powers, and that “in a normal country”, a company like TAD Group would sue for huge damages.