A cybersecurity expert accused of hacking the data of more than 5 million Bulgarian taxpayers was released by police Wednesday after his charges were downgraded.
Kristian Boykov, a 20-year-old Bulgarian cybersecurity worker, was arrested in Bulgaria’s capital Sofia last week in connection to the breach. Police raided his home and seized computers and mobile devices with encrypted information. The hacker was found by police through the computer and software used in the attack, according to the Sofia prosecutor’s office.
Due to his work, which involves testing computer networks for potential vulnerabilities, some believe Boykov is a “white hat hacker” — a hacker that breaks into computer networks to expose vulnerabilities and push for the weaknesses to be fixed.
He has made news in Bulgaria before. In 2017, he hacked the Bulgarian education ministry’s website to expose its vulnerabilities. In a television interview, he described the work as “fulfilling my civic duty.”
Sofia prosecutors claim they tracked one of the stolen files from the latest data breach to a username used by Boykov. Boykov and his lawyer reject the allegations against him and say he was not involved in the incident.
The hack of the nation’s tax agency database is believed to be the largest data breach in Bulgaria’s history. Nearly every working adult in Bulgaria was impacted. In a country of 7 million, more than 5 million people had personal data such as social security information, addresses, incomes and names leaked and made easily accessible on the Internet.
Boykov was initially charged with a computer crime against critical infrastructure, with a maximum sentence of eight years in jail. Those charges were dropped and he was given a lesser charge of crime against information systems, which has a maximum jail sentence of three years.
The initial hack is believed to have happened in June. The breach remained undetected until an email from a Russian email address was sent to Bulgarian news outlets last week claiming responsibility for the attack. In the email, the sender claimed to be a Russian hacker, gave downloadable links to the stolen information and mocked Bulgaria’s cybersecurity efforts.
Police are still in the early stages of the investigation. If Boykov was in fact involved, it is unknown whether he worked alone or as part of a larger group, but police are looking at outside involvement as a possibility.
According to The New York Times, some Bulgarian officials have suggested that Russia may have been behind the attack as retaliation for the country’s purchase of American-made fighter jets.
Last year a data protection law was implemented across the European Union that fines companies that mismanage their data. Bulgaria’s tax agency is facing a fine of up to 20 million euros, or $22.4 million, for the data breach.
Experts who examined the stolen data in Bulgaria said the hack wasn’t a complicated operation, and that lack of preventative action from the government is to blame. Out-of-date computer systems are especially vulnerable to a breach. Less than a year ago, the country’s Commercial Registry got taken down by another cyberattack.
Prime Minister Boyko Borisov said in a government meeting on Wednesday that Boykov is a “wizard” hacker and that the country should hire similar people to work for the state.