The Bulgarian Privacy Authority sanctions the National Revenue Agency for the data breach of millions of citizens
Despite the funds allocated and the solicitations of the “white hat hackers”, the technological infrastructure of the Bulgarian institutions struggle and make themselves vulnerable to data breaches of considerable magnitude, such as the one that occurred on July 15, 2019.
The investigations directed by the Bulgarian Privacy Authority, Ventsislav Karadjov, lead to a remarkably negative result not only for the violation of personal data, but also for the acknowledgement of the failure to implement the appropriate technical and organizational measures aimed at ensuring the confidentiality, integrity and availability of the data:
- 11 GB of data stored in 57 folders in .csv format, corresponding to 3% of the entire Agency’s database;
- 6,074,140 natural persons involved, of which more than 4 million correspond to Bulgarian and foreign citizens while 1,959,598 are deceased;
- data on individuals and companies including names, personal identification numbers, addresses, telephone numbers, e-mail addresses, other contact details, tax returns, payroll data, social security data and health insurance contributions;
- unofficial sources list health data and online gambling website users.
All these data were then transmitted – by anonymous e-mail – to the main national media with the purpose of mocking both the government by calling it “retarded” and the security system mocked as “parodic”.
This has inevitably led to the infliction of severe sanctions:
- By decision of 23.08.2019, the Commission for the Protection of Personal Data ordered the National Revenue Agency, on the basis of Art. 58, § 2, letter “d” in relation to Art. 57, § 1, letter “a” and Art. 83, § 2, letters “a”, “c”, “d”, “f” and “g” of the GDPR, to adopt adequate technical and organizational measures for the protection of personal data such as:
- Measures to enhance the protection of personal data processing in e-services applications to citizens;
- Performing risk analysis of processing systems and operations, including rules and functional obligations established for the operation of each information system;
- Carry out “high risk” impact assessments identified for each system and the measures taken;
- Executing an impact assessment at the initial launch of new information systems and applications.
- On 28.08.2019, on the basis of art. 87, par. 3 of the Law on the Protection of Personal Data, Bulgarian regulations, the Authority issued a Criminal Order to the NRA for violation of Art. 32, § 1, letter b) GDPR, with a view to unauthorized access, unauthorized disclosure and dissemination of personal data from databases managed by the Agency. The amount of the sanction imposed is BGN 5 1 00 000 (EUR 2,6 million).