The personal and financial data of pretty much every adult in Bulgaria has been stolen, reports the New York Times. An individual claiming to be a Russian hacker took responsibility for the attack on the nation's tax agency while slamming the government's cybersecurity efforts as "parody" in an email sent to local media outlets Monday. A Bulgarian cybersecurity worker was arrested a day later after officials seized computers containing encrypted data from his home and office in Sofia, police tells Reuters. The 20-year-old suspect—identified by media as Kristian Boykov of the US firm TAD Group—faces up to eight years in prison if convicted of stealing the names, addresses, incomes, loans, tax declarations, and health insurance payments of taxpayers in the country of 7 million.
Bulgaria's government actually thanked Boykov in 2017 after he exposed vulnerabilities in the education ministry website. At the time, he said he was "fulfilling my civic duty," though police believe he also dabbled in cybercrime. Prime Minister Boyko Borissov has called the suspect a "wizard" hacker. But experts say relatively basic hacking techniques were used in the attack, which comes a year after Bulgaria's leading business organization warned about possible flaws in the National Revenue Agency's protections. The agency could now be fined up to $22.4 million for the breach, which some have speculated was ordered by Russia as retaliation for Bulgaria's purchase of American-made fighter jets, per the Times. A lawyer says Boykov "has no connection whatsoever with the issue" and is accused "despite a complete lack of evidence." (Read more cyberattack stories.)