Police in Bulgaria have arrested a 20-year-old man after a hack against the Bulgarian tax authority, known as the National Revenue Agency (NRA), which saw data on every single adult living in Bulgaria stolen, and offered to the media.
Every adult living in Bulgaria? Yes, according to local media apparently practically every adult member of the Bulgarian population has had their name, address, and even personal income details stolen, through a vulnerability in a VAT refund system. Plus an additional 1.38 million dead people have had their data leaked too.
Finance Minister Vladislav Goranov confirmed the security breached, and apologised “to all Bulgarian citizens who have been made vulnerable” according to Reuters.
What will raise some eyebrows is that the man who has been arrested in connection with the hack is Kristiyan Boykov from the city of Plovdiv. Boykov has been working since 2017 for the security firm TAD GROUP, which describes itself as having “extensive experience in conducting penetration tests and security assessments.”
Boykov came to the attention of the penetration testing company two years ago, after he found vulnerabilities on a Ministry of Education and Science (MES) website which allowed him to access a database containing details of companies offering internships to students.
When the ministry failed to respond, Boykov went to popular Bulgarian TV show “Lords of the Air” with his findings.
Police say they do not believe that Boykov’s employer, TAD GROUP, is connected with the NRA breach, but computer equipment, drives, and mobile phones were seized at its offices in Sofia, as well as at Boykov’s home. In a press statement, TAD GROUP said it would assist the authorities in their investigation, and that Boykov “has always been ethically, professionally and loyal to his work commitments, including our clients and the entire team.”
According to local media reports, Boykov’s work for the company has included providing cybersecurity training to the very same law enforcement agency that has since arrested him. Sounds like he trained them well.
Bulgarian anti-virus veteran Vesselin Bontchev tweeted a screenshot of what claims to be a message sent to local media by whoever hacked the NRA.
This is the follow-up message sent by the Bulgarian National Revenue Agency hacker to 3 media outlets (2 TV channels and a newspaper): pic.twitter.com/lN7HhvIAoo
— Vess (@VessOnSecurity) July 17, 2019
Lawyers working for Boykov have briefed the media about their belief that the young researcher may have been framed by competitors, arguing that he is too competent to leave clues pointing to his identity on the breached system.
If details of the security breach are accurate, the NRA could find itself facing a fine of up to 20 million Euros (US $22.5 million). Boykov, if convicted, could be sentenced to up to eight years in prison.