The last news on the website of the police’s cybercrime unit is from June 3 and says “Employees of the agency have successfully prevented the online sale of sunglasses that could be dangerous for eyes”. And this is right in the middle of the storm around the so-called cyberattack scandal about the personal and financial records of millions of taxpayers that were hacked and went public. There’s now even a basic search engine, developed by news portal Bivol.bg that allows everyone to check whether their personal and financial information was exposed.
Files with sensitive financial data of over five million Bulgarian citizens were leaked this Monday. They are part of the archives of the Bulgarian tax agency – National Revenue Agency (NRA) and contain personal data regarding incomes, tax declarations, health insurance payments, and loans. This raises a serious concern about the vulnerability of governmental systems.
Many organizations, companies, associations, and institutions now try to use the case as an occasion for PR (black or not) activities. After a 20-year-old developer was arrested as a suspect, the question of education, dev talent in Bulgaria and ethical hacking was raised… Yet, after everything said an written (see below), the picture is still pretty blurry – who hacked the systems of the NRA, what was the reason, and what will follow. What is clear though is that the systems are vulnerable.
What’s the noise about
The 11GB of information, containing 57 folders and 1044 files, was linked in an email coming from an anonymous hacker sent to the Bulgarian media. As it turned out the data breach happened already in June. The mail address was shut down around a day after the first mailing campaign, after which only three media received additional information from a different mail and from a person claiming to be a Russian citizen.
In a nutshell, what was said in those emails is that this is only half of the extracted information. It contains the personal numbers of 4.66m alive and 1.38m dead citizens. According to the financial minister Vladislav Goranov’s official statement, this is supposed to be only 3% of NRA’s databases. According to a former cybercrime unit inspector, most of the exposed data is old, as this has been happening for years. In his second mail, the “hacker” also claimed the data extraction has been happening in the past 11 years.
“Percentages and megabytes are an irrelevant piece of data here. The right question is how many citizens are affected. And the number is ‘many’,” commented on Facebook Bozhidar Bozhanov, founder of Infosecurity startup Logsentinel, former counselor to the Ministry of Interior.
According to Veselin Tselkov, a board member at the Commission for Personal Data Protection, Bulgaria’s tax agency could now face a fine of up to €20m which equals 4% of its annual revenue.
The sensitive data could be used for blackmailing, firms and properties could be stolen more easily. On a more positive note, journalistic and institutional investigation of corruption could also be enhanced by the new data. These are however all speculations. In fact, the leaked data doesn’t contain any personal identification codes that are needed to enter a person’s account in the NRA system. The red flag here, however, is how was the system hacked and it shows either dramatic vulnerability or great hacker talent in Bulgaria. As prime minister Boyko Borisov said, the arrested 20-years-old suspect should be a wizard hacker. Yet…
One Google search away?
What has basically happened, or at least the officially announced version is that the access to servers of the agency was established through one of its e-services, which is to refund VAT on foreign transactions (VATrefund). It was announced that the breach was a result of a SQL (language used to communicate with a database – ed.n.) injection.
“Everyone with access to Google and basic literacy could hack this system. Googling -SQL injection, will immediately give you information on the commands one needs to enter in the form instead of a name, ID number or other identification data, so you enter the databases,” explains simply Anton Gerunov from infosecurity startup Logsentinel. According to him, there is enough data and information available to make such a breach easily possible.
Bulgarian Association of Cybersecurity has pointed out a few steps to maintain the level of security against hackers that might have helped to prevent such leaks. Performing penetration tests, which shows the weak spots in the system and give the hackers access. The traffic in the network of the state institution should be tracked by a dedicated system for management and monitoring. In case the first two are somehow compromised, then software for computer forensics should be used. Such software performs a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.
Who did it?
It’s still unclear. On Tuesday afternoon, the Bulgarian GDCOC (General Directorate Combating Organized Crime) arrested the 20-year old white hacker Kristian Boykov, suspecting he is involved in the attack. He was released on Thursday due to lack of evidence.
The investigators linked Boykov to one of the files that were sent to the media. It contains a unique user name, the specific computer configuration and the time and date. Boykov is reported to have led educational courses on cybersecurity for GDCOC. Two years ago he broke into the database of the Ministry of Education and Science (MES). After signaling the MES about the vulnerabilities, without getting a reply, he turned to a local tv show. This is when TAD Group, a global cybersecurity company based in California, US with an office in Sofia offered him a job. From 2017 Boykov is working in the company as a cybersecurity expert.
Damage for the ecosystem?
The Bulgarian Startup Association BESCO pointed out in a Medium blog post that “scandal of such scale seriously damages not only the reputation of the whole country but also the developing innovative companies in it.” The organization also amplified that there are successful cybersecurity projects that have been developed in Bulgaria. Implementing e-government, creating policies to promote R&D and technology transfer, promoting private investment and gradually building up capital markets, a transformation of the country’s economy towards export-oriented industries with high added value – these are just some of the issues that BESCO finds urgent to be solved.
The country’s leading business organization, BIA, said it had warned the government of possible flaws in its data protection systems a year ago, reports Reuters.
Democratic Bulgaria which aims to position itself as the party of the tech sector broadcasted an interview with its party members and IT specialist Ivaylo Mirchev. Mirchev called the leak is a “digital catastrophe”.
Who is the arrested suspect is indeed the right person and what will the largest data breach in Bulgaria so far lead to, is still unclear. What is although crystal clear is that security is getting an increasingly relevant topic for institutions and governmental structures. As of July 18, all the systems of NRA are undergoing a security audit, an official statement on the institution’s website says. According to an expert familiar with the matter, the National Social Security Institute and the National Customs Agency are the next that need to be audited as soon as possible.
What can one do to prevent misusage of the leaked data?
in a Facebook post, cybersec specialist Bozhidar Bozhanov shared three easy actions
activate notifications (SMS or email) for transactions on your bank account (via e-banking or at your bank branch)
activate notifications (SMS or email) for any changes within your property records in the Property Register
activate notifications for changes within your legal entities record in the Commercial Register