Last week, news broke of a data breach in Bulgaria that impacted upon over five million of the nation’s citizens.

The breach occurred when a hacker broke into the National Revenue Agency to steal names, income details and social security data. The hacker then forwarded 57 folders holding 11gb of data to media outlets in Bulgaria, warning that the haul represented a just a portion of a total 21gb stolen.

In an email to news outlets, the hacker reportedly wrote:

“Your government is backward. The state of your cybersecurity is a parody.” There was then a demand to release Wikileaks founder Julian Assange.

The email was traced back to a Russian address – a discovery that has added to Russo-Bulgarian tensions building since Bulgaria recently revealed its intention to buy US fighter jets. The 20-year-old cyber-security worker behind the intrusion was arrested in Bulgaria in the last 24 hours. He has been identified as Kristian Boykov, a former employee of the Bulgarian office of US cyber-security firm, TAD Group.

Speaking to the New York Times, Dr Vesselin Bontchev said:

“To the best of my knowledge, this is the first publicly known major data breach in Bulgaria. It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised.”

Bulgaria’s Prime Minister, Boyko Borissov met with security agencies to formulate a response to the situation, and later called the hacker “a wizard” before underlining how the government needs specialists of such a calibre to work for Bulgaria, not against it.

Finance Minister, Vladislav Goranov has apologised for the breach, and has reiterated how the culprit will “fall under the impact of Bulgarian law.”

City prosecutors in Sofia say that Boykov has been charged with a computer crime. He will be held for three further days and potentially faces up to eight years in jail if found guilty.

While the Bulgarian government is now coming under fire for lax security standards, the incident is pushing up awareness of the problem of identity theft. It remains to be discovered however, how the many potential victims of the breach will be impacted.

Under the GDPR, the National Revenue Agency could be issued with a fine of up to €20 million for failing to adequately safeguard the data of Bulgaria’s citizens.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.