National tax agency of Bulgaria (NRA, National Revenue Agency, Bulgaria)

History

2019: Arrest of the cybersecurity specialist accused of theft of these 5 million citizens from NRA

In Bulgaria the information security specialist who was accused of theft of personal data and financial data of 5 million citizens from the National tax agency (NRA) was arrested. On July 25, 2019 reported about it in Panda Security. According to the conclusion of the company, this incident became the largest violation about 7 million people given in Bulgaria with the population.

Among the stolen data – names, data on income, tax declarations, payments on to medical to insurance and many other things.

According to data from the Bulgarian press, the suspect worked as the researcher in the field of information security, performing search of vulnerabilities in IT networks for prevention of cyber attacks. In 2017 it already got to news when detected important holes of security on the website of the Ministry of Education of Bulgaria.

Before the arrest he was also very active in social networks, regularly published articles on information security and about cracking.

This cyber attack caused a debate about weak information security standards of the country again. The prime minister of Bulgaria told that the arrested was a "magic" hacker and that the country should employ such "unique brains" for the protection, as at the arrested.

Nevertheless, some experts who checked the stolen data, said that the used tactics were rather simple, and it indicates insufficiency of adequate protection more, than great capabilities of the hacker.

The business organization of the country of BIA warned about possible shortcomings of data protection at NRA several years ago. She demanded that NRA sent detailed information on the stolen documents to each injured person and the company.

According to the provisions GDPR, NRA can face a penalty to 20 million euros or 4% of the total annual turnover. The sanction will depend on number of affected persons and also on the volume of the stolen information, but sanctions were not yet.

GDPR is applied to any company which processes personal data of citizens of the European Union. Thus, observance of its requirements is the compulsory provision in order to avoid economic losses and damage of reputation which can turn out to be consequence of an incident with violation of data.

For process optimization of observance of requirements of this law, Panda Adaptive Defense has the module which is specially developed to help to conform to requirements of GDPR: Panda Data Control. This module has a set of advantages:

• Detection and audit: It automatically identifies corporate files which contain personally identified information and also users, employees or contractors, computers and servers which can have access to this information.
• Monitoring and detection: The reports and notifications in real time offered by the module Panda Data Control on unauthorized and suspicious use, transfer and extraction of files with personal data, help to implement pro-active control facilities of access and processing.
• The simplified management: The module Panda Data Control is a module which is integrated into Panda Adaptive Defense and Panda Adaptive Defense 360. It does not require that the companies implemented still something, except standard protection, and therefore it is possible to activate this module quickly and at once without difficult and bulky settings.
• Demonstration to the management responsible in the company for data protection (DPO) and to all other staff of your organization of severe measures of security for the protection of all personally identified information which is at rest, used or moved between end devices and servers.