The data’s origin is believed to be the country’s National Revenue Agency (NRA), a department of the Bulgarian Ministry of Finance.
In a message posted on its website on Monday, the NRA admitted to the incident and said it was working with the Ministry of the Interior and the State Agency for National Security (SANS) to investigate the hack.
“We are currently verifying whether the data is real,” said the NRA.
Hacker stole 110 databases, leaked 57
According to reports from local media [1, 2, 3, 4, 5], who received part of the data, the hacker said they stole the personal details of over five million Bulgarians, of the country’s total population of seven million.
The hacker bragged about stealing 110 databases from NRA’s network, totaling nearly 21 GB. The hacker only shared 57 databases, comprising 11 GB of the aggregate data with local news outlets but promised to release the rest in the coming days.
The leak contains names, personal identification numbers (PINs), home addresses, and financial earnings. Most of the information is years old, dating back as far as 2007, but newer database entries were also discovered.
Besides NRA-specific information, there is also other info that appears to have been imported into NRA systems from other government agencies.
The leaked data also contained information from Department Civil Registration and Administrative Services (GRAO), a database the department described similar to “the Social Security Number (or similar) identification in other countries.”
Information was also found that belonged to Bulgaria’s customs agency, namely data from the Bulgarian Excise Centralized Information System (BECIS), a database for storing information about excise taxes for imported goods.
In addition, there was also some information that local media deemed to have belonged to the National Health Insurance Fund (NZOK), although they have not detailed the precise nature of the information, and data from the Bulgarian Employment Agency (AZ).
Hacker is an Assange fan
The hacker contacted local media from a Yandex.ru email address and included a variation of a quote from WikiLeaks founder Julian Assange, which roughly translates from Bulgarian to “Your government is stupid. Your cybersecurity is a parody.”
Opposition parties in Bulgaria have not wasted any time. Within hours of the leak going public, the Democratic Bulgaria party demanded the resignation of Finance Minister Vladislav Goranov.
Last month, Bulgarian authorities arrested and temporarily held a Bulgarian IT expert for releasing public details about how to exploit a vulnerability in a state-managed kindergarten web portal to harvest the GRAO details of all Bulgarians. The two incidents don’t appear to be related.