For 3 Years White Hat ‘Begs’ Data Protection Watchdog to Stop Leaks from Its Site

Atanas Tchobanov

The site of the Bulgarian Commission for Personal Data Protection (CPDP) is vulnerable and gives access to the personal data of over 14,000 people who have sent complaints or questions to the Commission on various occasions. A “White Hat” (an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies that ensures the security of an organization’s information systems) has established the leak.

The expert has signaled the problem to the CPDP twice through the Commission’s own system of alerts and complaints as early as 2016. They filed cases with incoming numbers but did not take any action to block the leaks. Ultimately, the “White Hat” turned to the media because of lack of any assistance on the part of the institutions. Our editorial office received the so-called Proof of Concept – a detailed description of the vulnerability and the steps that prove it.

After we became aware of the problem and studied, we found that it is really serious and there is a theoretical and practical opportunity for access to phone numbers, emails and personal addresses of citizens. We sent this information to the CPDP on July 10. We pointed out the case numbers filed on the White Hat’s alerts: P-2372 / 01.04.2016 and P-3397 / 03.05.2016, as well as a link to one of the identified vulnerabilities. We asked if a security audit on the site had been ordered after these alerts, whether the problems had been identified and what steps had been taken to stop the access. So far, we have no response from the CPDP.

The new cybersecurity law came into force in November 2018 and obliges the institutions to set up sectoral cybersecurity teams. In case of computer security breaches, the administrative bodies shall notify the sector response team within two hours after the incident has been detected, but only in incidents that have an impact on the continuity of their operations.

Perhaps the CPDP does not react and ignores the information because the possibility of reaching the personal data of thousands of persons de facto does not stop its administrative activity and its internal information system, as well as the site. However, it compromises the role of the institution itself, which must also implement the very strict European regulation for the protection of personal data, GDPR.

Wasting Money on White Hats

Under the new law, not only a number of sectoral teams, but also central cybersecurity teams keep popping up. In search of an institution to protect our personal data from the Commission for Personal Data Protection, we reached CERT Bulgaria, the National Center for Incident Response in Information at the State Agency “eGovernment”. There is a breach-reporting link on its site, but it does not work. The reason is probably that a public procurement contractor has not been selected yet to provide the Center’s maintenance. The public tender is worth EUR 366,083.84 without VAT in European funding and was announced at the end of June.

Over the years, a lot of money has been spent on cybersecurity training. The main partner of the public administration and State institutions is the so-called International Cyber Investigation Training Academy, a nonprofit organization founded by leading experts in fighting cybercrime in 2009, as written on its website. It has a number of strategic partners, including financing of projects by the “America for Bulgaria” Foundation and the European Good Governance program. In addition to training, the Academy also offers “white hat” services – tests of information security breaches, audits, consultations, cyber expertise, and so on.

A partner of this Academy is the Bulgarian Cyber Center for Competence for Training and Research (B2CENTRE). It includes the Centre for Cybersecurity & Cybercrime Investigation at University College Dublin, the 2CENTRE (European Network of Cybercrime Centres of Excellence Network for Training Research and Education), the Main Directorate for Combatting Organized Crime (GDBOP) at the Bulgarian Ministry of Interior, the International Agency for Combatting Crime and Security Policies, Microsoft Bulgaria, the EMC Security Division – RSA and the Department of Computer Systems and Management at the Sofia Technical University. B2CENTRE absorbs European money under the Program for the Prevention of and Fight against Crime (ISEC) and has produced two reports: “Survey on Assessing the Need to Establish an Early Response System for Cybercrime” and “Concept and Strategy for Developing an Early Response System for Cybercrime“.

If one reads these “fundamental” documents in their entirety, one will see a link to the B2CENTRE’s website. Do not open it because it leads to a Malaysian site full of unsolicited ads. The same happens if one clicks on the B2Centre link on the CERT Bulgaria site menu. This is because the payment for the domain has not been renewed and it has been acquired by others.

We have a true paradox – a cybersecurity project becomes dangerous for one’s cybersecurity. The case is a good illustration of the campaign character of initiatives in this and other areas. The project was implemented from 2013 to 2015, the money has been spent, the reports written, then no one took care of the site’s security and maintenance, and there was not even anyone to remove the link to the domain that no longer has anything to do with its original purpose.

Blunder after blunder and no one is guilty

The B2Centre reports, however, contain some useful information. For example, from the Early Response Survey, we learn that “most respondents believe that the acceptable response time between the start and the discovery of the cyber threat is between 30 minutes and two hours. Seven of the polled organizations say that the reaction should be up to ten minutes, and nine – from ten to 30 minutes.”

The CPDP obviously does not think so because it did not respond to our signal for 24 hours. On Thursday, July 12, however, we were able to contact CERT.BG to report the breach. We asked to do this via a secure channel and exchange keys for encrypted communication. Once the Center successfully overcame the Cyrillic alphabet in the encrypted messages, it apparently managed to understand the nature of the problem. On Friday, we received a confirmation that the reported breach has been registered under number 6,691.

In response to our question, CERT said that to date an “audit of the CPDP’s website and its information systems has not been carried out”, as “the execution of inspections of the state of the information systems of the administrative bodies is carried out according to pre-established schedules”. For now, the CPDP has not been scheduled for an audit.

Two years ago, our media also reported a serious cybersecurity breach on a website of the Ministry of Education. At that time, there was open access to the personal data of 1.2 million Bulgarian schoolchildren – full names, age, current and permanent address. The Ministry then denied that there was a problem, but reacted quickly, closed the site and restricted access to the data once they had received the alert. It also approached the Prosecutor’s Office, but so far, it is not known whether it has found the guilty party.

We are not noticing a similar speedy reaction to the current breach. CERT has assured us that “there is established communication with people in charge of network and information security and the necessary action is taken to address the problem”. However, by the time of this publication, the problem with the link to the Malaysian ads remained on the CPDP site and the vulnerability has not been eliminated.

The good news is that the institutions tasked with safeguarding personal data and watching for the cybersecurity of the nation have established communication among themselves.


If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

We will highly appreciate if you decide to support us with monthly donations keeping the option Make this donation monthly.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 5€

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

This post is also available in: Bulgarian

Вижте също / Read Also