Hacker steals data of millions of Bulgarians, emails it to local media

Source of the data breach appears to be the country's National Revenue Agency.
Written by Catalin Cimpanu, Contributor

A mysterious hacker has stolen the personal details of millions of Bulgarians and has emailed download links to the stolen data to local news publications.

The data's origin is believed to be the country's National Revenue Agency (NRA), a department of the Bulgarian Ministry of Finance.

In a message posted on its website on Monday, the NRA said it was working with the Ministry of the Interior and the State Agency for National Security (SANS) to investigate the hack.

"We are currently verifying whether the data is real," said the NRA.

Hours after this article's publication, the Bulgarian Ministry of the Interior confirmed the hack.

Hacker stole 110 databases, leaked 57

According to reports from local media [1, 2, 3, 4, 5], who received part of the data, the hacker said they stole the personal details of over five million Bulgarians, of the country's total population of seven million.

The hacker bragged about stealing 110 databases from NRA's network, totaling nearly 21 GB. The hacker only shared 57 databases, comprising 11 GB of the aggregate data with local news outlets but promised to release the rest in the coming days.

The leak contains names, personal identification numbers (PINs), home addresses, and financial earnings. Most of the information is years old, dating back as far as 2007, but newer database entries were also discovered.

Besides NRA-specific information, there is also other info which appears to have been imported into NRA systems from other government agencies.

The leaked data also contained information from Department Civil Registration and Administrative Services (GRAO), a database the department described similar to "the Social Security Number (or similar) identification in other countries."

Information was also found that belonged to Bulgaria's customs agency, namely data from the Bulgarian Excise Centralized Information System (BECIS), a database for storing information about excise taxes for imported goods.

In addition, there was also some information that local media deemed to have belonged to the National Health Insurance Fund (NZOK), although they have not detailed the precise nature of the information, and data from the Bulgarian Employment Agency (AZ).

Hacker is an Assange fan

The hacker contacted local media from a Yandex.ru email address and included a variation of a quote from WikiLeaks founder Julian Assange, which roughly translates from Bulgarian to "Your government is stupid. Your cybersecurity is a parody."

In an interview with a Bulgarian TV station, the hacker claimed he was a Russian man married to a Bulgarian woman, although, these statements should not be taken at face value. He also claimed to have had access to the NRA's network for more than 11 years.

Opposition parties in Bulgaria have not wasted any time. Within hours of the leak going public, the Democratic Bulgaria party demanded the resignation of Finance Minister Vladislav Goranov.

Last month, Bulgarian authorities arrested and temporarily held a Bulgarian IT expert for releasing public details about how to exploit a vulnerability in a state-managed kindergarten web portal to harvest the GRAO details of all Bulgarians. The two incidents don't appear to be related.

Article updated at 08:15am ET with new information about Bulgarian authorities confirming the hack and new information on the hacker.

Data leaks: The most common sources

More data breach coverage:

Editorial standards