Two charged with ‘terrorism’ over Bulgaria’s biggest data breach

The offices of TAD group, the cyber-security company in which the two people charged with terrorism work. [Dnevnik]

Prosecutors have charged two workers at a cybersecurity company with terrorism as part of an investigation into Bulgaria’s biggest-ever data breach, a lawyer for the defendants said on Wednesday (24 July).

Georgi Yankov, a manager at the company Tad Group, has been charged and released from custody, Georgi Stefanov said.

Earlier charges of crime against information systems against Kristian Boykov, a 20-year-old cybersecurity worker at the same company, have been changed to terrorism, he added.

Both deny wrongdoing, Stefanov said.

Prosecutors were not immediately available for comment.

“We are very surprised with these charges,” Stefanov told Reuters. “How do you charge someone with terrorism but let them go?” he added.

On Tuesday, police raided the offices of Tad Group, seizing computers and detaining a manager over last month’s cyber-attack on the tax agency, in which nearly every Bulgarian adult’s personal data and financial records were compromised.

In systemic breach, hackers steal millions of Bulgarians' financial data

Bulgaria’s finance minister apologized to the country on Tuesday (16 July) after admitting hackers had stolen millions of taxpayers’ financial data in an attack that one researcher said may have compromised nearly every adult’s personal records.

Boykov was conditionally released from custody last Wednesday, but banned from leaving the country.

Prosecutors have said they believe Boykov did not act alone and were looking for others in connection with the attack.

Prosecutors believe Boykov was behind an email sent from someone purporting to be a Russian hacker who was offering stolen tax agency files to local media. They do not currently believe the attack came from abroad.

Prosecutors said decrypted data from one of Boykov’s computers led them to conclude for the time being that he had the stolen data before it was published online.

The tax agency is facing a fine of up to €20 million over the breach under GDPR rules, which officials have said compromised about 3% of the agency’s database.

According to financial newspaper Capital, the leaked data also included files from the EU’s anti-fraud network EUROFISC, which allows national tax administrations to share information on fraudulent activities and combat organised VAT fraud.

On Wednesday, the tax agency said it would contact 189 Bulgarians whose full names, personal identification numbers, addresses and ID card details were among the leaked data.

The other more than four million Bulgarians affected by the breach do not need to change their ID cards, the agency said.

The agency has informed notaries, banks and credit lenders in the Balkan country over the data breach and urged them to be extra vigilant in approving property deals or extending loans.

Bulgarian MEP Ivo Hristov (S&D) raised the issue on Tuesday at meetings of the Committee on Industry, Research and Energy (ITRE) of the European Parliament.

Hristov asked Finnish minister of economic affairs Katri Kulmuni, and Sanna Marin, minister of transport and communications, who presented the Finnish presidency priorities in the ITRE committee, what the EU could do to help in the case of the data breach, and what was possible to be done under recently adopted EU legislation.

The answers were rather evasive.

The MEP also asked the Commission Director for cybersecurity Despina Spanou if the Bulgarian authorities had asked for help.

Spanou said that Bulgaria’s Commissioner Mariya Gabriel, who is in charge of the digital portfolio, has informed the competent authorities, and such an exchange of information could prevent similar cases in other member states. Spanou also qualified the theft of financial data  as “a very serious breach in data protection”. [More]

Subscribe to our newsletters