Bulgarian Commercial Registry Fixes Serious Personal Data Leak

Atanas Tchobanov

Tens of thousands of Personal Identification Numbers (PIN – in Bulgarian EGN – similar to a social security number) and ID card numbers were available until yesterday (July 29) through Google’s search engine because of a misconfiguration of the server maintained by the Bulgarian Registry Agency. To obtain them, it was enough to type in the search box the address of the server and the word “ID card” or “EGN”. After Bivol signaled the problem to the Commission for Personal Data Protection (CPDP) and CERT Bulgaria, the National Center for Incident Response in Information Security, they took action and today the search results had been removed from the global search engine.

The leak did not have the scale of NAPLeaks (the recent leak from Bulgaria’s National Revenue Agency), nevertheless, the data of more than 60,000 people, who had filed documents with the Commercial Registry, were publicly available. In principle, these individuals give informed consent for their data to be made public, but access to them is via the interface of the Registry, which is protected against mass data collection. The open data published by the Commercial Registry does not contain PINs, but another unique identifier.

After registering the incident without delay, on July 26, CERT had contacted the Registry Agency and had recommended that they contact Google formally to stop indexing the data. This apparently has happened at the beginning of the week and now the results have been cleared and the search for an “ID card” returns nothing.

In the “Counter-Commentary” broadcast of Assen Genov, Bivol”s editor-in-chief Atanas Tchobanov spoke about the problem and noted that this case was not about hacking and external meddling, but about the poor configuration of the servers of the Registry Agency, which are currently maintained by the State-owned Information Services Company. However, it is not clear how long this indexing by search engines had lasted.

It was Bivol again earlier to alert the CPDP and CERT about a vulnerability and breach in the Commission’s data protection system, potentially causing unauthorized access to more than 14,000 citizens’ complaints, along with their personal data and addresses. The CPDP has taken action and posted a thank you note to Bivol on their site.

Unfortunately, not all media outlets in Bulgaria follow this procedure when they become aware of vulnerabilities in government sites and data leaks. After receiving information about NAPLeaks, at least two Bulgarian TV channels immediately broadcasted the address of the link containing the data and the password with which they were protected. Thus, in practice, they are responsible for making the hacked data public and turning it into a massive leak of information.

***

If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

We will highly appreciate if you decide to support us with monthly donations keeping the option Monthly

You have chosen to donate 10.00€ monthly.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 10.00€ Monthly

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Please, read our Terms and conditions here.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

Bivol is not recording the number of your bank card. The card payments go through Stripe. Card donations for Bivol are managed by the French NGO Data for Reporters Journalists and Investigations - DRJI.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 5.00€

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Please, read our Terms and conditions here.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

Bivol is not recording the number of your bank card. The card payments go through Stripe. Card donations for Bivol are managed by the French NGO Data for Reporters Journalists and Investigations - DRJI.

лв.
 
The current exchange rate is 1.00 EUR equals 2,00 BGN.
Select Payment Method
Personal Info

Внимание: с този метод сумата ще е в лева, а не в евро. Можете да изпратите "Данъкъ Биволъ" електронно през Epay.bg или с банков превод. От територията на България можете също да изпратите пари в брой през EasyPay, или да направите превод през банкомат, поддържащ услугата B-Pay.    

Donation Total: 10,00 лв.

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

SMS код BIVOL

За да подкрепите с малка сума нашите разследвания и автори, можете да изпратите SMS на кратък номер. Ще получите с обратен SMS линк към нашия архив.

  • Изпрати 1,2 лв. на номер 1851 с код BIVOL и получи достъп до Архивите на Биволъ
  • Изпрати 2,4 лв. на номер 1092 с код BIVOL и получи достъп до Архивите на Биволъ
  • Изпрати 4,8 лв. на номер 1094 с код BIVOL и получи достъп до Архивите на Биволъ
  • Изпрати 12 лв. с два смс-а на номер 1096 с код BIVOL и получи достъп до Архивите на Биволъ

Сумите са с включен ДДС. Моля, имайте предвид, че това е най-неефективният начин да подпомогнете Биволъ, тъй като комисионната на мобилните оператори достига 60%. Ако имате възможност, използвайте някой от другите методи на плащане.

Криптовалути

За да ни изпратите биткойни сканирайте QR кода или използвайте един от двата адреса: Standard: 1EY3iwkPXiby6XFsyCcVPGZPYCGPbPeVcb

Segwit: bc1ql28g7qnvdmenrzhhc7rtk0zk67gg4wd9x9jmmc

This post is also available in: Bulgarian

Вижте също / Read Also

%d bloggers like this: