Bulgarian Commercial Registry Fixes Serious Personal Data Leak

Atanas Tchobanov

Tens of thousands of Personal Identification Numbers (PIN – in Bulgarian EGN – similar to a social security number) and ID card numbers were available until yesterday (July 29) through Google’s search engine because of a misconfiguration of the server maintained by the Bulgarian Registry Agency. To obtain them, it was enough to type in the search box the address of the server and the word “ID card” or “EGN”. After Bivol signaled the problem to the Commission for Personal Data Protection (CPDP) and CERT Bulgaria, the National Center for Incident Response in Information Security, they took action and today the search results had been removed from the global search engine.

The leak did not have the scale of NAPLeaks (the recent leak from Bulgaria’s National Revenue Agency), nevertheless, the data of more than 60,000 people, who had filed documents with the Commercial Registry, were publicly available. In principle, these individuals give informed consent for their data to be made public, but access to them is via the interface of the Registry, which is protected against mass data collection. The open data published by the Commercial Registry does not contain PINs, but another unique identifier.

After registering the incident without delay, on July 26, CERT had contacted the Registry Agency and had recommended that they contact Google formally to stop indexing the data. This apparently has happened at the beginning of the week and now the results have been cleared and the search for an “ID card” returns nothing.

In the “Counter-Commentary” broadcast of Assen Genov, Bivol”s editor-in-chief Atanas Tchobanov spoke about the problem and noted that this case was not about hacking and external meddling, but about the poor configuration of the servers of the Registry Agency, which are currently maintained by the State-owned Information Services Company. However, it is not clear how long this indexing by search engines had lasted.

It was Bivol again earlier to alert the CPDP and CERT about a vulnerability and breach in the Commission’s data protection system, potentially causing unauthorized access to more than 14,000 citizens’ complaints, along with their personal data and addresses. The CPDP has taken action and posted a thank you note to Bivol on their site.

Unfortunately, not all media outlets in Bulgaria follow this procedure when they become aware of vulnerabilities in government sites and data leaks. After receiving information about NAPLeaks, at least two Bulgarian TV channels immediately broadcasted the address of the link containing the data and the password with which they were protected. Thus, in practice, they are responsible for making the hacked data public and turning it into a massive leak of information.


If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

We will highly appreciate if you decide to support us with monthly donations keeping the option Make this donation monthly.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 5€

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

This post is also available in: Bulgarian

Вижте също / Read Also