On 1 November every year, Finland publishes the taxable income of each of its citizens, allowing all interested parties - from newspapers to spouses - to find out how much everyone earns. Dubbed "National Jealousy Day" by the New York Times, the event serves the important social function of exposing the highest earners and finding out whether they are tax dodgers.
Ironically, Bulgaria had its own version of National Jealousy Day on 15 July, when an unnamed hacker released an email containing 57 National Revenue Agency (NRA) databases, or over 11 GB of information worth of Bulgarian citizens' private data, to several selected Bulgarian and international media outlets, including the Capital Weekly. The data leak affected about 4.66 million working-age Bulgarians (some of them deceased). It contained sensitive details about their income, social security status and telephone numbers as well as email and physical addresses. The NRA data breach became known as NAPLeaks, as the acronym for NRA in Bulgarian is NAP.
Transparency uncalled for
"Your government is retarded. The state of your cybersecurity is a parody," the email that sent the link noted. It added that this was only part of the information that the hackers had allegedly accessed. Some of the data was found to go back to 2007, but other information was dated June 2019. In a second email, the hacker claimed to be a Russian married to a Bulgarian.
Overnight, Bulgaria became, albeit accidentally, the most transparent country in the world, at least when it comes to releasing personal information on its own citizens. And if the details surrounding the leak itself were perplexing, the reactions of the responsible institutions were outright bewildering.
The Russians are coming!
First of all, on the day after the leak, Interior Minister Mladen Marinov suggested a possible Russian connection, speculating that the data breach was staged in revenge for Bulgaria's purchase of eight US-made fighter jets. However, the only suggestion of a Russian connection was that the hacker had sent an email from a Russian domain address, as Finance Minister Vladislav Goranov announced later when he confirmed that Bulgarian taxpayers' personal financial data was indeed compromised by an individual who broke into the country's electronic tax refund system. Mr Goranov insisted the data stolen did not include classified information and did not "constitute a threat to financial security".
The "Russian connection" version, which was shared by members of the cyber crime department of the Interior Ministry and government-aligned analysts, did not hold for long. On 17 July, Kristiyan Boykov, a 20-year-old IT specialist with no connection to Russia, who had previously hacked the Education's website in 2017, was taken into custody.
He was released just 72 hours later after no state body involved in the investigation managed to break the cryptic defense of his private and office servers. Mr Boykov complained that investigators had threatened him to make him confess to the crime. On the other hand, he was complimented by none other than Prime Minister Boyko Borissov, who called him "a magician" and said the state should do more to attract such bona fide IT talents.
The Prosecutor's Office was less impressed. Once it managed to decrypt the personal and office computers of Mr Boykov, in an unprecedented move it charged Mr Boykov and Ivan Todorov, his boss in the Bulgarian-US cybersecurity company TAD Group he worked for, with cyber terrorism and an attempt to destabilize the state. In order to strengthen its case publicly, the prosecutors published several screenshots of chats between Mr Todorov and Mr Boykov and a prosecutor even spread the theory that the alleged cyber terrorists wanted to override the irrigation system in front of the parliament building and turn it on at a specific moment to drench foreign dignitaries during visits. Unfortunately for the Prosecutor's Office, the Sofia municipal authorities and the parliament administration said the irrigation system is manually controlled and in no way connected to the internet.
This was, however, far from the last absurdity surrounding the scandal. The only casualties of the leak were two IT specialists at the NRA, while the director of the agency, Galya Dimitrova, did not appear in public for more than a week after the leak.
"It was a hard but well-thought decision not to cancel my vacation. I had an important personal reason for that. One needs to be responsible both professionally and personally," Ms Dimitrova said to the shocked amusement of the public.
Needless to say, she is still the director of the agency. Additionally, the 2.5 million euro fine that the Commission for Protection of Personal Data imposed on the NRA for the data breach was to all intents and purposes useless, as it would only amount to the transfer of money from one state institution to another, without leading to any meaningful repercussions for those involved in the leak. Last, but not least, a number of Bulgarian TV stations did not disguise the link to the downloadable folder they had received from the hacker and practically everyone interested could just manually input the URL address and download the information.
It is still unclear what prompted the hack. The prosecution claims that TAD Group tried to blackmail several companies to hire its services, inducing them with hacked information from their websites. However, no company has publicly complained yet.
How the leak happened and what it contains
According to IT specialists, the hacker infiltrated the NRA website through a little-used and not updated VAT refund e-function using a SQL injection and blindly downloaded various databases.
The unlawfully distributed files contain names, personal identification numbers and physical addresses of Bulgarian individuals, telephone numbers, e-mail addresses and other contact information. Additionally, sensitive personal information, such as data from annual tax returns and social security statements of people, data regarding health insurance status and fines for administrative violations, were leaked. Also, data received at NRA ex officio from other institutions, such as the Bulgarian Customs Agency, the Employment Agency, the Social Assistance Agency, etc. got published.
Last but not least, data on requested and refunded VAT paid abroad and data from the international tax information exchange regarding Bulgarian residents was part of the leak. This might complicate the Bulgarian institutions' relationship with foreign partners, including the European Anti-Fraud Office, OLAF, who exchange information through the Eurofisc system, data of which also got leaked. The leak potentially puts trans-European tax fraud investigations at risk and further blemished the international image of the Bulgarian government. The government had already suffered a serious blow in August 2018 when the Commercial Register's website shut down for over two weeks, causing serious delays to both domestic and international businesses operating in the country.
Domestic repercussions from NAPLeaks are also likely. Trust in e-governance among Bulgarians will likely suffer, which will further slow down the process of digitalization and unification of electronic services within the administration. Citizens might become wary of sharing personal data with the institutions and might change their generally positive attitudes towards e-governance and electronic voting. Ironically, the outgoing deputy prime minister responsible for e-governance, Tomislav Donchev, praised NRA for being a champion of electronic modernization in an interview published a day after the leak in 24 Hours daily.
There is, however, at least one positive side to this scandal once journalists put the leaked data in some kind of order. It might become a basis for investigating discrepancies between the conflict-of-interest declarations and the tax forms of politically connected Bulgarian officials and business people. Until that time comes, Bulgarians ought to check regularly if someone has taken out a fast credit on their behalf. Courtesy of the NRA, of course.