Bulgarians' personal and financial data leaked by hackers in attack on tax agency

Hacker describes Bulgarian government as "stupid" for the poor state of public sector security

The personal and financial details of almost everyone in Bulgaria has been hacked from the country's tax agency and leaked online.

The hackers claim to have stolen data stolen from 110 databases belonging to Bulgaria's National Revenue Agency (NRA), but have so far 'only' leaked data from 57 databases - 11GB of data out of a total of 21GB.

Even so, the data leak affects about five million people out of the country's population of seven million. Names, addresses, earnings (and presumably taxes paid) as well as the Bulgarian equivalent of National Insurance numbers were all leaked. Much of the data, though, goes back more than ten years.

Your government is stupid, your cybersecurity is parody

The attack was admitted in a curt statement by the NRA on Monday. "Earlier today, emails of certain media have been sent a link to download files allegedly belonging to the Bulgarian Ministry of Finance. We are currently verifying whether the data is real," the statement read.

The data spillage was admitted today by Bulgaria's Interior Minister Mladen Marinov.

He suggested that the attack had been motivated by the government's decision to purchase Lockheed Martin F-16 fighters. However, local media suggests that the motive was a desire to highlight lax security in Bulgaria's public sector and tax agency in particular.

The email the hacker sent from a Yandex account, according to local media, ended: "Your government is stupid, your cybersecurity is parody" - a quote from Wikileaks founder Julian Assange.

According to Reuters, Bulgaria's Prime Minister has opened a meeting of the country's national security council and initiated belated security checks of all government institutions.

In an interview today, the hacker behind the attack on the Bulgarian National Revenue Agency (NRA) claimed that poor security means that the NRA has been leaking like a sieve for at least 11 years.

Furthermore, he indicated, the authorities in Bulgaria are aware of it, but have covered it up, he wrote in an email to Bulgaria's Nova TV.

"If they do not reveal the truth, I will personally upload 21GB of data to Russian and Bulgarian torrent trackers, so everyone can download the information freely," the man, who claims to be a Russian citizen married to a Bulgarian, warned.

The attack and spillage of personal data is arguably one of the largest ever (on a per capita basis), possibly surpassing the data of 143 million people compromised in the Equifax hack, which has been linked with China's security services.

The Equifax breach has also been linked with the earlier attack on the US Office of Personnel Management (OPM), which spilt the details of some 22 million US government workers, including many working in highly sensitive areas.