The Alexander Nevsky Cathedral and National assembly building in Sofia, Bulgaria Image : Getty

Someone stole the personal and financial information of millions of Bulgarian taxpayers—likely the majority of the adult population.




Bulgaria police head of cybersecurity Yavor Kolev said on Wednesday an unidentified 20-year-old cybersecurity work er was arrested on Tuesday on suspicion of involvement in a hack that took taxpayer sensitive data, according to a Reuters report.

The Bulgarian public first caught light of the hack on Monday, after someone claiming to be the hacker behind the attack contacted several local media outlets to say that they had stolen the personal information of more than five million citizens (in a country with a population of 7 million), and shared some of the data they had stolen. As ZDNet points out, the supposed hacker emailed the news outlets from a Yandex.ru email address. Their communication included quotes from Julian Assange and the message, “Your government is stupid. Your cybersecurity is a parody.” The person told at least one outlet they are a Russian citizen.


The National Revenue Agency (NRA) released a statement on Monday, stating it is investigating the matter with the State Agency for National Security and the Ministry of the Interior. On Tuesday, Interior Minister Mladen Marinov confirmed the attack to Bulgaria’s bTV network.

Kolev said the man police arrested in association with the crime works as a tester for vulnerabilities in computer networks, but they also dabbled in crime. “In his life, he has been on both sides,” Kolev told Reuters.

Reuters reports that the Bulgarian Industrial Association, the nation’s leading non-government business organization, warned about vulnerabilities in the NRA’s system last year, and have insisted that every company and person affected by this breach receive a report on the recent breach.

Commission for Personal Data Protection board member Veselin Tselkov told Reuters the NRA could face a fine of 20 million euros ($22.43 million) for the breach, but the sanction will depend on how many people were affected and how much information was leaked.

