Blog, Events & News

Hackers expose PII of 5mn citizens in Bulgarian data breach

By Netacea / 18th Jul 2019

Earlier this week Bulgarian media outlets received stolen data that originated from the country’s National Revenue Agency (NRA). The data breach contains the personally identifiable information (PII) of five million citizens – 71% of Bulgaria’s population – and is reported to be the country’s biggest data leak.

So how did the data breach occur and what risks are the victims exposed to following the leak?

How did the data breach occur?

The perpetrators of the attack have told local media outlets that the initial leak covers 57 of 110 total compromised databases. That equates to just 11GB leaked of the 21GB acquired in the data breach.

It is thought that the hack was carried out in June via download links from a Yandex email address, but the email alerting the nation’s press of the breach and offering access to the stolen data was not distributed by the culprits until Monday 15th July.

The hackers said:

“There are more than five million Bulgarian and international citizens, as well as companies, affected in the breach.”

The sheer scale of the attack has been further emphasised by Vesselin Bontchev, assistant professor at the Bulgarian Academy of Sciences:

“It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised.”

In response to the breach, the Bulgarian NRA stated:

“The authorities are investigating a potential security breach in the systems of the National Revenue Agency. Earlier today, local media were emailed a download link to the leaked data, which purportedly originated from the Bulgarian Ministry of Finance.”

So far, one man has been arrested and charged in connection with the data breach. Vladislav Goranov, Bulgaria’s finance minister has apologised for the breach and stated that anyone attempting to exploit the data “would fall under the impact of Bulgarian law.”

Record breaking data leak exposes 5mn Bulgarian citizens

A data breach is just the first step

It would seem that the Bulgarian authorities are certainly taking the incident seriously. But what risks have the five million citizens been exposed to if the stolen data has already been made accessible?

The data breach itself is just the beginning. With PII in the possession of bad actors, it can be sold on and exploited for a myriad of illicit purposes that may not become apparent to victims until much later.

In 2019, we have seen PII data put both individuals and businesses at increased risk of account takeover attacks and subsequently, greater exposure to fraud and reputational damage.

Account takeover (ATO) attacks using stolen data are commonly carried out using automated bot traffic techniques, such as credential stuffing and card cracking.

What is credential stuffing?

Credential stuffing is a commonly used ATO technique used to gain brute force entry to an account by continually, automatically injecting usernames and passwords into website login forms until they get a match.

What is card cracking?

Card cracking is also used to gain brute force entry to an account. The attack is carried out against a website’s payment processing capabilities to test the validity of thousands of stolen credit card numbers.

What should businesses do to protect their customers from automated threats?

To tackle the challenge of automated, malicious traffic head-on, you need a comprehensive understanding of the technology and strategies used to carry out credential stuffing and card cracking attacks.

Partnering with bot management experts takes the pressure off your business possessing this knowledge in-house, and ensures you have accurate, real-time insights into automated traffic activity on your website.

Netacea uses a range of approaches to detect ATO activity, tackling sophisticated attacks with award-winning, artificial intelligence based ATO detection.

To find out more about the credential stuffing threat and how Netacea is fighting back at bots, access our Essential Guide to Credential Stuffing today.

Account Takeover