The Bulgarian tax agency, notorious for the biggest data breach ever in the history of Bulgaria have decided to appeal a fine of 5.1 million levs ($2.9 million) imposed by the state data-protection agency.
The tax agency is further considering legal action against the hackers who penetrated its systems in June, so that they would have to pay for the fine.
Prosecutors have charged the owner of a cybersecurity company and two of his employees for the attack, which compromised the personal data and financial records of nearly every working adult among Bulgaria’s 7 million people. All the defendants deny wrongdoing.
The fine is below the maximum of 20 million euros (£18 million). The head of the Commission for Personal Data Protection, Ventisalav Karadzhov, said it was not meant to punish, but to ensure that measures are taken to prevent future data breaches.
The NRA said the data theft and its public dissemination occurred despite its data-protection measures. It has fired two senior IT specialists, but hasn’t released publicly an audit of its IT security systems.
Officials have said Bulgaria’s public institutions are not spending enough on cybersecurity. Some experts who examined the stolen tax data say the techniques used in the attack were relatively basic and indicated lack of adequate data protection.