The Commercial Register meltdown in Bulgaria: a forensic analysis

By Valia Ahchieva

On 10 August last year, the Commercial Register in Bulgaria went off, creating unprecedented chaos. Citizens, companies and the administration remained cut off from a vital database. The uncertainty fuelled fears of abuse and nightmare scenarios.

Seven months after the meltdown of Bulgaria’s Commercial Register, none of the state institutions communicated the reasons for the sequence of events that unfolded last summer. And the facts show that these events are not accidental. The crisis in managing the information activity of the Registry Agency is the result of a number of significant gaps. Those in power keep silent about who is responsible for management decisions that proved obviously inadequate to the requirements for the normal operation of the Commercial Register.

However, an analysis of the State Agency for National Security (DANS) indicates that if lessons are not learned, this could lead to the recurrence of the accident with the Commercial Register or in other institutions and organizations.

What has actually happened to the Commercial Register – an activity in the prerogatives of the state of the highest importance and with highest risk potential?

Here’s the CHRONOLOGY OF THE MELDOWN.

On 05.08.2018, at 00.45 h, the first drive from the disk configuration is damaged.

On 09.08.2018, at 17.36 h, the second drive is damaged.

On 09.08.2018, at 17.43 h, the third drive is damaged.

On 09.08.2018, at 18.04 h, the fourth disc is also damaged.

Due to the short interval in which disks from the same disk group were damaged, it was impossible to restore the normal business functionality of the Commercial Register.

An unmanageable risk was created because the disks affected are both from the main and backup information centers.

The Commercial Register is based on the Oracle platform.

On 10 August the Minister of Justice Tsetska Tsacheva sent a signal to the competent authorities about a hardware problem that led to the suspension of the operation of the database of the Commercial Register and the Register of Non-Profit Legal Entities.

The companies that serve the information systems of the Registry Agency are: Stemo Ltd. for hardware maintenance, Lirex BG Ltd. for maintaining the database, the domain controllers and the communication devices, and the company “Siensis” Ltd. to build and supports the web servers.

The control of the activities of the companies is carried out by employees in the IOT directorate at the Registry Agency.

The databases in the systems that serve the Commercial Register are located in three places: a main information center in the building of the Registry Agency in Sofia, a reserve center in the Business Park in Sofia and an emergency and restoration center in Shumen.

The investigation by the Sofia City Prosecutor’s Office found that the incident had occurred due to hard drives’ malfunction. And the resuming of the work of Commercial Register’s work was not possible due to the lack of adequate archive copies of the database.

The archival copies were a commitment of Lirex BG, according to the contract with the Registry Agency, the Prosecutor’s Office said.

On 10 August the Registry Agency received a Plan for Restoring the Employability of the Commercial Register, sent by Lirex BG. It describes the initial actions after receiving the incident alert.

On August 14, a plan for recovering the Commercial Register was produced.

Among the facts established by the Prosecutor’s Office is a report of Lirex BG, dated 03.07.2018. In this report, the support firm made a recommendation to the Registry Agency – it flagged the need of additional resource to increase the ability to archive data.

The then Executive Director of the Registry Agency, Zornitsa Daskalova, found that this report was too formal and unclear. And also that these recommendations were already answered when the contract was concluded.

The selection of companies for all system maintenance at the Registry Agency was carried out following the procedures under the legislation for state procurement. Each procedure related to information systems has been coordinated with SANS and the State Agency for Electronic Governance, which controls all electronic systems in the country.

Regarding the control at the Registry Agency, both former CEO Zornitsa Daskalova and the current Executive Director Gabriela Kozareva argue that the employees of the IOT Directorate DO NOT HAVE THE EXPERTISE NEEDED as well as knowledge of the Oracle operating system in order to adequately control all activities , carried out by the Lirex BG maintenance company.

The civil servants actually have only looked at the documents provided by the contractor.

According to the current Director of the Registry Agency Gabriela Kozareva, the CONTRACTOR COMPANY CONCENTRATES A HUGE POTENTIAL FOR INFLUENCE AND MANIPULATION OF DATA, as well as the possibility of remote access, albeit by contract.

This in fact means that a PRIVATE COMPANY has a complete control over the processes of the Registry Agency.

And the lack of staff knowledgeable of the Oracle operating system leads to the LACK OF OBJECTIVE POSSIBILITY OF CONTROL.

The Sofia City Public Prosecutor’s Office concludes in its verification that there is A GREAT DEAL OF DEPENDENCE of the Registry Agency from a PRIVATE COMPANY and OBJECTIVE INABILITY for adequately control by the Registry Agency.

However, the prosecutor concludes that, in fact, this is a breach of contract by the Contractor.

And that THIS DOESN’T CONSTITUTE A CRIME.

The Prosecutor writes in his Ordinance for denial of pre-trial proceedings that the assessment of the adequacy of the managerial decisions is a task of the Executive.

The lack of any control by the State Agency for Electronic Management, in connection with the concluded contract between the Registry Agency and the company Lirex BG, as well as its subsequent implementation, has also been established.

The control body did not exercise control over information security, the prosecutor found, but that was NOT a crime.

It also suggests that the Supreme Administrative Prosecutor’s Office carry out an inspection of the State Agency for Electronic Governance under the supervision of legality.

The Supreme Administrative Prosecutor’s Office has done so.

The audit found that the crisis in managing the information activities of the Registry Agency was due to significant deficiencies.

No inspections have been carried out by the State Agency for Electronic Control under the supervision of compliance with the requirements of the Electronic Information Security Act. There were no inspections of the information security of the Commercial Register. No audit was performed by the State Enterprise “Electronic Management”. Indeed, in the course of the prosecution, it was established that the State Enterprise was not operating for a second year now, in violation of the Electronic Governance Act. Moreover, its Rules of Procedure have not been adopted, as required by Paragraph 46 of the Act.

In the course of the inspection, the State Agency for Electronic Governance, headed by Atanas Temelkov, makes the following shocking conclusions concerning the Registry Agency:

“Risk of change management – CRITICAL.

Risk of Security Management – CRITICAL.

Risk of Operations Management – CRITICAL.

General conclusion: CRITICAL HIGH RANGE OF RISK for the activity and IT activities and information systems of the registers of the Registry Agency, as of 09.08.2018″.

The Supreme Administrative Prosecution has also ordered immediate measures to mend the breaches of information security requirements. Undoubtedly the information in the Commercial Register is of key importance for the functioning of the market economy in Bulgaria.

A worrying fact can only add to the hype surrounding the incident and las September’s actions of the competent authorities .

Back then, the Registry Agency asked TO DELETE DATA FROM THE MALFUNCTIONING DISKS.

But DANS said “NO”!

The data generated in the normal operation process and in the process of trying to restore the Commercial Register is in fact revealing the reasons that led to the slow recovery of the normal operation of the Registry. These data also reveal the incompetent actions of the involved departments and officials.

THESE DATA SHOULD NOT BE DELETED, says DANS. The data should be retained until a detailed analysis of the organizational, administrative and technical deficiencies that led to the incident is made.

According to the State Agency for National Security, it is wrong to say that this data is not necessary.

And the Minister of Justice Tsetska Tsacheva, in her letter to the Supreme Administrative Prosecution from 12.02.2019. ALSO STATES THAT the defective disk configuration and the information kept in it is preserved as of the time of the Commercial Register crash. And this disk configuration was still not used as of 12.02.2019, according to the instructions that it should be kept as evidence.

“Thus, once again, the Registry Agency has deprived more than half of the disposable common disk capacity”, writes Minister Tsacheva. She argues that this is how a CRITICAL NEED of additional disk capacity has emerged. Therefore, from the emergency-recovery center in Shumen was transported and installed in Sofia a disk configuration in order to guarantee the reliability of the database of the registers and their backups.

In relation with the emerging CRITICAL NEED for additional disk capacity, the Registry Agency has entered into a contract with Telelink Business Services EAD for the delivery of the necessary equipment.

And when the new equipment will come to Sofia under this contract, then the Shumen office would be returned the backup disks, said Minister Tsetska Tsacheva.

She said they kept the defective disk configuration as evidence.

Evidence of what and against whom?

Didn’t the Sofia City Prosecutor’s Office say in writing that there was no crime? It even refused to form pre-trial proceedings.