Security researcher arrested after data on every adult in Bulgaria hacked from government site

Security researcher arrested after data on *EVERY* adult in Bulgaria breached

Police in Bulgaria have arrested a 20-year-old man after a hack against the Bulgarian tax authority, known as the National Revenue Agency (NRA), which saw data on every single adult living in Bulgaria stolen, and offered to the media.

Every adult living in Bulgaria? Yes, according to local media apparently practically every adult member of the Bulgarian population has had their name, address, and even personal income details stolen, through a vulnerability in a VAT refund system. Plus an additional 1.38 million dead people have had their data leaked too.

Finance Minister Vladislav Goranov confirmed the security breached, and apologised “to all Bulgarian citizens who have been made vulnerable” according to Reuters.

Sign up to our free newsletter.
Security news, advice, and tips.

What will raise some eyebrows is that the man who has been arrested in connection with the hack is Kristiyan Boykov from the city of Plovdiv. Boykov has been working since 2017 for the security firm TAD GROUP, which describes itself as having “extensive experience in conducting penetration tests and security assessments.”

Boykov came to the attention of the penetration testing company two years ago, after he found vulnerabilities on a Ministry of Education and Science (MES) website which allowed him to access a database containing details of companies offering internships to students.

When the ministry failed to respond, Boykov went to popular Bulgarian TV show “Lords of the Air” with his findings.

Boykov TV appearance

Police say they do not believe that Boykov’s employer, TAD GROUP, is connected with the NRA breach, but computer equipment, drives, and mobile phones were seized at its offices in Sofia, as well as at Boykov’s home. In a press statement, TAD GROUP said it would assist the authorities in their investigation, and that Boykov “has always been ethically, professionally and loyal to his work commitments, including our clients and the entire team.”

According to local media reports, Boykov’s work for the company has included providing cybersecurity training to the very same law enforcement agency that has since arrested him. Sounds like he trained them well.

Bulgarian anti-virus veteran Vesselin Bontchev tweeted a screenshot of what claims to be a message sent to local media by whoever hacked the NRA.

Lawyers working for Boykov have briefed the media about their belief that the young researcher may have been framed by competitors, arguing that he is too competent to leave clues pointing to his identity on the breached system.

If details of the security breach are accurate, the NRA could find itself facing a fine of up to 20 million Euros (US $22.5 million). Boykov, if convicted, could be sentenced to up to eight years in prison.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.