Official report says the data breach at the National Revenue Agency is no one’s fault

The special parliamentary committee tasked with finding out if there was prerequisites for the unprecedented data breach at the National Revenue Agency concluded there were not any. The committee found, in other words, no one from the agency or other relevant institution or official could be to blame for the breach. The report recommends various improvements at the agency and the law – including tougher punishments for cybercrimes, new regulation capabilities and additions to the penal code to include new types of crimes. The report also seems to acknowledge weaknesses in the NRA’s systems but it does not see any fault for that or indeed if there was a way to overcome these weaknesses.

Last summer the NRA’s database was compromised and the personal data, including tax returns, of nearly all Bulgarian adults was released on the internet. The owner of the network security company TAD Group Ivan Todorov was arrested and charged for abetting the cyber-attack. Todorov is remains in jail awaiting trial.

Meanwhile the Commission for the Protection of Personal Data fined the NRA 5,1 million leva for the breach, which the revenue agency is appealing.

The members of the committee from the opposition, the Bulgarian Socialist Party, signed the report without approval. Roumen Gechev from BSP said the report does not point to any official or office as baring any responsibility at all for the breach. “Not even the doorman got fired,” he said.

Krasimir Tsipov from the ruling party GERB said that as far as responsibility goes, the IT managers at the NRA, who are directly responsible for the security systems are no longer there. The executive director of the NRA, however, remained at her post, and even got a raise recently.  When asked should the head of the NRA be fired after such a gross blunder Finance Minister Vladislav Gouranov notably replied that he had not heard “the CIA director resign after Wikileaks.”

BSP argues further that the sanction imposed by the personal data commission is itself an indication that the agency is responsible to an extent for the breach but the parliamentary commission’s report does not reflect such a notion.