The National Revenue Agency (NRA) in Bulgaria was fined 5.1 million levs ($2.9 million) by the country’s data-protection agency over a data breach that compromised the personal information of almost every adult in the country.
Reuters is reporting that the tax agency said it was going to appeal the decision. It’s also considering taking legal action against hackers who got into the system, in an attempt to make them responsible for the fine.
The owner of a cybersecurity company and two of his employees were charged by prosecutors for the breach. They deny that they did anything wrong.
A maximum fine of 20 million euros could have been levied against the tax agency, but Ventisalav Karadzho, the head of the Commission for Personal Data Protection, said the fine was more to make sure proper data procedures are followed in the future, rather than a punishment.
The NRA said that it had data-protection measures in place when the data theft happened. Two senior IT specialists were fired, and no public report has been released in terms of the agency’s security systems.
Leaders in the country say that public institutions don’t spend enough on cybersecurity, and analysts who studied the attack say it was fairly basic.
The hack happened at the end of June, and Finance Minister Vladislav Goranov said although the breach affected millions of people, it was not classified information and would not endanger the financial stability of the country.
Goranov was called to parliament to give an explanation of the breach, and he said that he was sorry “to all Bulgarian citizens who have been made vulnerable.”
He also said the hacked data wasn’t detailed enough to offer “substantive conclusions” about anyone’s financial information and that if someone tried to take advantage of the data they “would fall under the impact of Bulgarian law.”