Police in Bulgaria announced the arrest of a 20-year-old computer programmer Wednesday. His crime? Orchestrating a staggering hack of the European country’s national tax authority that swiped astonishing amounts of data, including the names, addresses, job titles, incomes, health insurance specifics, loan details, and social security information of nearly every adult citizen in the country. According to police, that intimate data was taken from as many as five million Bulgarian adults, which amounts to nearly every working adult in the country that is home to some seven million people overall.
Details are just now trickling out about the cyber-intrusion that is believed to have taken place in June and may have continued up until very recently. To make matters worse, the hack apparently had gone totally undetected until an email claiming responsibility was sent to media outlets in the country earlier this week from a Russian email address. “The state of your cybersecurity is a parody,” the self-proclaimed hacker taunted in the email. The Bulgarian government was caught flat-footed, but after a brief investigation arrested an employee at a cybersecurity firm in the country’s capital of Sofia.
“Bulgarian media identified the suspect as Kristian Boykov,” Reuters reports. “George Yankov, senior manager at the Bulgarian office of US cybersecurity firm TAD Group, said Boykov was an employee of the company and confirmed he had been arrested.” After the arrest there was some speculation—and hope—that the attack was a “white hat” attack, essentially a good Samaritan effort to expose vulnerabilities before malicious actors are able to exploit them. The lawyer for the suspect, however, put a dent in that theory when he denied the charges and said his client was not involved in the breach. One cybersecurity expert told the New York Times that the stolen data could be worth as much as $200 million on the black market.
The breach has put a spotlight on Bulgaria’s much derided cybersecurity and the country’s tax agency faces a fine up to $22 million over the hack. The country’s Prime Minister Boyko Borissov described the suspected hacker as a “wizard” Wednesday, but other cybersecurity experts questioned whether it took anything special to penetrate the country’s notoriously shaky data security protocols. Prosecutors said the man had been charged with a computer crime that could mean up to eight years in jail.