National Revenue Agency (NRA)
Issued by Commission for Personal Data Protection (CPDP) on 2019-08-28
What happened
Bulgaria's CPDP fined the National Revenue Agency (NRA) BGN 5.1 million (approximately €2.6 million) after a massive data breach exposed the personal data of approximately 5 million Bulgarian citizens — nearly the entire adult population. In July 2019, a hacker gained unauthorized access to NRA databases and published the stolen data online. The breach included names, personal identification numbers (EGN), addresses, income data, and tax information. The CPDP found that the NRA had failed to implement adequate technical and organizational security measures. Despite handling the most sensitive financial data of virtually all Bulgarian citizens, the agency's cybersecurity practices were insufficient to prevent the breach.
Articles violated
Lessons learned
Government agencies handling sensitive citizen data must implement security measures proportionate to the sensitivity and volume of data processed. Regular penetration testing and vulnerability assessments are essential for tax authorities and similar organizations. The scale of a breach directly impacts the severity of enforcement — a breach affecting an entire nation's population leads to maximum scrutiny. Public sector organizations are not exempt from GDPR fines in jurisdictions that allow them.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Other
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.
Related enforcement actions
Department of Justice and Constitutional Development
Information Regulator of South Africa · Security Measures
Read caseMinistry of Defence
Information Commissioner's Office (ICO) · Data Breach
Read caseInterserve Group
Information Commissioner's Office (ICO) · Security Measures
Read case