Security researcher arrested after data on every adult in Bulgaria hacked from government site

Graham Cluley

Security researcher arrested after data on *EVERY* adult in Bulgaria breached

Security researcher arrested after data on *EVERY* adult in Bulgaria breached

Police in Bulgaria have arrested a 20-year-old man after a hack against the Bulgarian tax authority, known as the National Revenue Agency (NRA), which saw data on every single adult living in Bulgaria stolen, and offered to the media.

Every adult living in Bulgaria? Yes, according to local media apparently practically every adult member of the Bulgarian population has had their name, address, and even personal income details stolen, through a vulnerability in a VAT refund system. Plus an additional 1.38 million dead people have had their data leaked too.

Finance Minister Vladislav Goranov confirmed the security breached, and apologised “to all Bulgarian citizens who have been made vulnerable” according to Reuters.

What will raise some eyebrows is that the man who has been arrested in connection with the hack is Kristiyan Boykov from the city of Plovdiv. Boykov has been working since 2017 for the security firm TAD GROUP, which describes itself as having “extensive experience in conducting penetration tests and security assessments.”

Boykov came to the attention of the penetration testing company two years ago, after he found vulnerabilities on a Ministry of Education and Science (MES) website which allowed him to access a database containing details of companies offering internships to students.

When the ministry failed to respond, Boykov went to popular Bulgarian TV show “Lords of the Air” with his findings.

Boykov TV appearance

Police say they do not believe that Boykov’s employer, TAD GROUP, is connected with the NRA breach, but computer equipment, drives, and mobile phones were seized at its offices in Sofia, as well as at Boykov’s home. In a press statement, TAD GROUP said it would assist the authorities in their investigation, and that Boykov “has always been ethically, professionally and loyal to his work commitments, including our clients and the entire team.”

According to local media reports, Boykov’s work for the company has included providing cybersecurity training to the very same law enforcement agency that has since arrested him. Sounds like he trained them well.

Bulgarian anti-virus veteran Vesselin Bontchev tweeted a screenshot of what claims to be a message sent to local media by whoever hacked the NRA.

Lawyers working for Boykov have briefed the media about their belief that the young researcher may have been framed by competitors, arguing that he is too competent to leave clues pointing to his identity on the breached system.

If details of the security breach are accurate, the NRA could find itself facing a fine of up to 20 million Euros (US $22.5 million). Boykov, if convicted, could be sentenced to up to eight years in prison.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.