WARSAW (NYTIMES) – An investigation into the theft of the personal information of nearly every adult in Bulgaria led to the arrest of a 20-year-old computer programmer, the police announced Wednesday (July 17), in connection with a breach that underscores the vulnerability of vast troves of digitised information.

The authorities acknowledged that Bulgaria’s national tax agency was hacked after a news outlet received an email Monday (July 15) with a taunt and a claim of responsibility.

The names, addresses, incomes and social security information of as many as 5 million Bulgarians and foreign residents – in a country of only 7 million – had been taken.

“The state of your cybersecurity is a parody,” the self-proclaimed hacker emailed.

Although the police cautioned that the investigation was in its early stages, some officials suggested that Russia might have been behind the attack, as retaliation for the country’s recent purchase of US-made fighter jets. A lawyer for the suspect denied he played any role in the breach.

Regardless of who perpetrated the hack, experts said the breach highlighted the ever-growing danger faced by both governments and their citizens in an increasingly digitised world.

The breach was the largest theft of personal data ever reported in the Balkans – Bulgaria’s prime minister convened an emergency meeting of the nation’s security agencies – and just the latest in a series of attacks that have exposed how much data remains insecure online despite a series of recent high-profile thefts.

Last year, the United States accused North Korean hackers of crippling Britain’s health care system and stealing millions from Bangladesh, as part of a years-long campaign to place ransomware on computers around the world. A few years earlier, US officials said that hackers based in China broke into the computer networks of a US government agency, exposing the personal information of more than 21.5 million people.

Corporations have suffered even larger breaches. Thieves stole more than 140 million Social Security numbers from the credit agency Equifax, hackers exposed the data of up to 500 million Marriott International guests, and attacks on the tech giant Yahoo compromised more than 1 billion user accounts.

Still, many governments have concentrated their attention on areas deemed “critical infrastructure” – such as energy and defense networks – a category that does not always include vast repositories of personal data.

Since becoming a member of NATO in 2004, Bulgaria has steadily worked to bolster its cyber defences, and in June it became a member of a NATO program, the Cooperative Cyber Defense Centre of Excellence, meant to help member nations improve their cybersecurity capabilities.

But Dr. Vesselin Bontchev, an assistant professor at the Bulgarian Academy of Sciences and a cybersecurity expert, said that the government – like many others – needed to broaden its view of what is vital to national security.

Many government officials, he said, “were worried mostly about the usual that gets discussed in the Western press – hybrid warfare, Russian disinformation and meddling, attacks against the critical infrastructure – that sort of thing.” But those were “largely theoretical problems,” he said.

“I didn’t see anyone being particularly worried about viruses, ransomware, data breaches, phishing and other everyday cybersecurity problems. Although, arguably, the National Revenue Agency is critical infrastructure.”

The breach of the National Revenue Agency, Bulgaria’s tax authority, is believed to have occurred in June and may have continued for some time. It was not made public until Monday, after news outlets around the country received an email – which came from a Russian address – claiming responsibility for the attack.

But like with so many cyber attacks, taking an inventory of the damage was a simpler task than assigning blame and understanding the broader implications.

As residents of one of the European Union’s newest and poorest member states wrestled with how the breach might affect their lives – with many fearing identity theft, and scores going to social media to mock their government – public officials offered a variety of theories about who might have been responsible.

Because the suspect worked for a cybersecurity firm, there was some speculation that the hack might have been a so-called “white hat” attack, perpetrated to expose vulnerabilities in the government’s computer networks and create public pressure to fix it. But the lawyer for the suspect rejected that theory, saying the suspect wasn’t involved at all in the attack.

Other government officials suggested that the country might have been targeted by Russia.

Mladen Marinov, the interior minister, said that the authorities had to remember the political context in which the attack took place, an apparent reference to Bulgaria’s relations with Russia and the West. This spring, Bulgaria finalised the details of its largest-ever foreign military acquisition since the end of communist rule in 1989, agreeing to spend nearly $1.3 billion to buy eight F-16 fighter jets from the United States.

“Organised criminal groups involved in cyber attacks usually seek financial profits, but here political motives are possible,” Marinov said.

Meanwhile, Prime Minister Boyko Borisov called an emergency meeting of the nation’s security agencies to discuss the ramifications of the attack. He told reporters that the incident showed that there were some “brilliant minds” working in the country’s tech sector, many of whom should be working for the state.

“It seems like education is getting better and better, especially in the IT field,” he said Wednesday. “We have some true wizards.”

Maya Alexandrova, a senior associate at a law firm in Sofia specialising in cybersecurity, said Bulgaria had introduced a legal framework for dealing with cybersecurity issues only last year. Private companies, she said, have been working to enhance their defences.

“Unfortunately I could not say the same thing for the government authorities,” she said. The state authorities, she said, “are not keeping up.”

Yavor Kolev, the head of the Bulgarian police’s cybersecurity unit, said that it was too early in the investigation to draw any firm conclusions. But he said that they had uncovered evidence that “suggests that the suspect is connected to the crime.”

The suspect, identified by his lawyer as Kristiyan Boikov, worked the TAD Group, a private cybersecurity firm.

Kolev said that Boikov had engaged in criminal activity in the past. “In his life, he has been on both sides,” he said.

However, Boikov’s lawyer, Georgi Stefanov, said that his name had been given to the police by a competing cybersecurity company in an attempt to frame his client.

“Kristiyan in an expert in his field,” Stefanov told reporters in Sofia. He added that if he wanted to hack the tax authority’s database, the Bulgarian police would never have found a trace.

On Tuesday, the same day Boikov was taken into custody, Bulgarian news outlets received another email from the alleged hacker. The writer, who claimed to be a Russian citizen married to a Bulgarian woman, taunted officials, saying the government will never find him. “They will just cover up the real truth,” he wrote.

Source: Read Full Article