Nearly every adult in Bulgaria had their personal details compromised, exposing the tax agency’s weak cybersecurity.

A 20-year-old Bulgarian cybersecurity worker was arrested on suspicion of involvement in a major hacking attack that stole millions of taxpayers’ personal and financial data.

The unidentified man was arrested on Tuesday afternoon. Officers raided his home and office in the capital Sofia and seized computer devices containing encrypted data, said Yavor Kolev, head of the police’s cybersecurity unit.

The National Revenue Agency (NRA) is facing a fine of up to 20 million euros ($22.43m) over the data breach, the biggest to affect the Balkan country. The attack compromised the records of nearly every adult among Bulgaria’s seven million people.

“Overnight, the relevant examination was carried out, a very initial one, which suggests that the suspect is connected to the crime,” Kolev said.

The investigation into the hack is still at an early stage, he added, and police are looking into the possibility that other people were involved.

Prosecutors in Sofia said the man was charged with a computer crime and would be held for another three days.

The attack reignited a long-running debate about lax cybersecurity standards in Bulgaria. A person claiming to be a Russian hacker and responsible for the breach emailed local media on Monday and denounced the government’s cybersecurity efforts as a “parody”.

Kolev said the arrested man was a researcher who tested computer networks for possible vulnerabilities to prevent cyber-attacks. But he also engaged in some criminal activity. “In his life, he has been on both sides,” he said.

‘Unique brains’

Speaking at a government meeting on Wednesday, Prime Minister Boyko Borissov described the arrested man as a “wizard” hacker and said the country should hire similar “unique brains” to work for the state rather than against it.

But some experts who examined the stolen data said the techniques used in the attack were relatively basic and spoke more to a lack of adequate data-protection measures than the hacker’s ability.

“The reason for the success of the attack does not seem to be the sophistication of the hacker, but rather poor security practices by the NRA,” said Bozhidar Bozhanov, chief executive at cybersecurity firm LogSentinel.

190708105800011

Bulgaria’s tax agency now faces a fine of up to four percent of its annual turnover, said Veselin Tselkov, a board member at the Commission for Personal Data Protection.

European data protection rules, known as GDPR, came into force last year. Last week, British Airways’ owner was hit with a $230m fine – equivalent to 1.5 percent of the company’s turnover – over a hack that led to 500 million customers having their details compromised.

“The amount of the sanction depends on the number of people affected and the volume of leaked information,” Tselkov said, adding the commission was still waiting for a full report on the attack.

‘Possible dangers’

Bulgaria’s leading business organisation, BIA, which warned about possible flaws in the tax agency’s data-protection system a year ago, demanded that detailed information about the leaked documents be sent to every person and company affected.

“We need to know so that at least we can be aware of possible dangers,” said BIA deputy head Stanislav Popdonchev.

Bulgaria’s Finance Minister Vladislav Goranov apologised for the attack, which exposed the names of millions of people and companies and revealed information about incomes, tax declarations, health insurance payments and loans.

The hack happened at the end of June and compromised about three percent of the tax agency’s database. Officials said earlier this week initial signs suggested it was conducted from abroad.