DECLARATION BY BULGARIAN INDUSTRIAL CAPITAL ASSOCIATION RELATING TO A BREAK IN THE SECURITY OF NATIONAL REVENUE AGENCY DATA
Trust in statehood is fundamental to every society, and democratic is key. The breakthrough in the personal data system is a breakthrough in this confidence, and any attempt to sweep away what happened has ruined the Bulgarian state. Therefore, BICA insists on a full investigation of the case by independent external experts and assuming appropriate responsibility.
In the age of ubiquitous digitalization, such an event can only be described as a disaster. The facts speak for themselves – leaked NRA databases show a drastic breakthrough in the protection of individuals’ rights in the processing of their personal data, a failure to fulfill obligations for our country arising from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (OJ L 119/1 of 4 May 2016), including compromised data n millions of Bulgarian citizens contained in contracts, information on remuneration, income, credits, IPs, declarations, names, PINs, addresses, data of Bulgarian companies with their UIC and addresses, emails, car registration numbers, certificate numbers for electronic signatures; the full NRA organization chart with hashed passwords and complete NRA employees’ positions; data of Bulgarians living abroad who receive pensions outside Bulgaria and have refused health insurance in Bulgaria.
We are particularly concerned about the facts reported that the theft of the data took place 20 days before its discovery, and the NRA did not at all report and register the illegal extraction of the data from their servers, and it was only after the publication of some of the information that the theft was detected. All of this speaks to a low level of data protection and security, to the incompetence or negligence of those responsible, which jeopardizes national security and the functioning of the state.
Against the backdrop of what has happened, even more outrageous and inexplicable is the desire of the NRA through Regulation 18, which is useless for the fiscal but at the risk of companies, to “peek” on-line in their technological and commercial secrets.
BICA calls on the executive to immediately draw up and implement an action plan to mitigate the incident and manage the resulting risks, and to publicly announce who is responsible for this unprecedented catastrophe and what penalties will be imposed.
BICA is deeply concerned about the many alarming failures of the state’s digital policy, namely the problems with the commercial register, the switch to electronic vignettes, and more. Such failures are extremely disturbing, unacceptable and shameful for a country that claims to be a regional leader in information technology.
BICA stresses that such catastrophes will continue in the future if there is no immediate change in the way the state works with the electronic data of Bulgarian citizens and Bulgarian business. The creation, maintenance and management of e-services is a continuous process, with security being at the forefront of designing systems. State institutions, as well as external experts and security companies should audit and try to break through the infrastructure, and the State Agency for Electronic Governance should impose minimum security criteria for the design and implementation of e-services by state institutions. In this regard, in order to prevent such events, BICA insists on an immediate audit of IT security in all government institutions when implementing eGovernment, which should have long been the case.