Menu
Tax Notes logo

CRS Data Breached in Bulgarian Tax Agency Hack

Posted on Aug. 30, 2019

A major data hack at the Bulgarian tax authority involved information exchanged under the OECD’s common reporting standard (CRS), marking the first breach of its kind since countries began exchanging financial account information automatically.

Donal Godfrey, acting head of the OECD’s Global Forum on Transparency and Exchange of Information for Tax Purposes, confirmed August 29 that the Bulgarian hack included not only data exchanged with Bulgaria under the CRS, but also data exchanged under other information exchange frameworks, such as the first and second EU directives on administrative cooperation. EU officials told Tax Notes that the Bulgarian breach also involves VAT scheme data and information from Eurofisc, the EU’s anti-fraud framework.

This is the first time that CRS data has been breached, and the most serious breach the global forum is aware of, Godfrey said, noting that the global forum has had a team of experts in Bulgaria for over a month to assess the situation, discover what happened, and determine how it can be corrected to ensure that it doesn’t happen again.

The global forum has an internal process in place to address CRS data breaches that is already well underway, according to Godfrey. All CRS exchanges between Bulgaria and all its partners have been suspended pending the outcome of the OECD’s review, he said, adding that the global forum will incorporate any lessons learned from the breach into its ongoing assurance process.

The Bulgarian National Revenue Agency (BNRA) on July 15 discovered that 3 percent of its databases had been hacked, and the data of about 4 million Bulgarian citizens and about 1.1 million deceased citizens had been leaked online, according to a FAQ on the tax authority’s website.

The breach compromised the personal data and tax and social security information of domestic and foreign individuals and legal entities, and may have included names, personal identification numbers, and addresses of Bulgarian nationals; names, identification numbers, birth dates, and addresses of foreign nationals; and phone numbers and email addresses, according to the BNRA.

Some of the tax and social security information at risk included tax returns and VAT refund requests paid in other EU member states, the BNRA said. Data from international automatic exchange of information frameworks about Bulgarians and foreign persons was also exposed.

The BNRA was reportedly fined about BGN 5.1 million for the breach. Two men — Georgi Yankov and Kristian Boykov, who worked at Tad Group, a cybersecurity company with headquarters in Sofia — were arrested and charged for the breach in late July, according to reports. Boykov is thought to be a “white hat hacker” who hacks computer systems to identify security weaknesses and call for improvements.

Some of Bulgaria’s partners have confirmed that their citizens have been affected. The Canada Revenue Agency on August 7 announced that a small number of Canadians with Bulgarian financial accounts and Bulgarians with Canadian financial accounts were affected. Most of that data was collected under the CRS, the CRA said.

A Belgian Finance Ministry spokesperson also confirmed to Tax Notes that data about Belgians living in Bulgaria with accounts in Belgium, and Bulgarians living in Belgium with accounts in Bulgaria, had been stolen in the hack.

“Belgium immediately suspended all automatic data exchange with Bulgaria until further notice,” the spokesperson said, adding that a judicial inquiry is underway in Bulgaria.

The hack is certainly a serious incident, and it’s unclear whether Bulgaria can meet the high data security and data confidentiality requirements associated with intergovernmental tax information exchanges, a spokeswoman from the German Finance Ministry told Tax Notes. As a result, the German competent authority has suspended income tax and VAT data exchange with Bulgaria; once the BNRA’s security safeguards are restored, Germany will fully resume tax information exchange with the country, she added.

It’s up to the Bulgarian authorities to reassure EU member states, as well as the European Commission, that it has done all it can to ensure secure information exchange, a commission spokesman said. “The commission remains in close contact with the Bulgarian authorities to that effect,” he said.

The BNRA has been working proactively with the global forum, as well as its information exchange partners, and is already making improvements, Godfrey said.

Neither the BNRA nor the Bulgarian finance ministry responded to Tax Notes’ request for comment by press time.

The OECD had first presented a global standard for the automatic exchange of financial account information in February 2014, which draws on its previous work in the area and incorporates many features used in the intergovernmental framework developed as the result of the U.S. Foreign Account Tax Compliance Act. All global forum members were asked to commit to implementing the automatic exchange of information standard so they can begin their first exchanges either in 2017 or 2018 at the latest, and exchange data with all interested partners that meet the OECD’s standards on confidentiality and proper data use. More than 100 jurisdictions made that commitment. The global forum is set to start a new peer review process in 2020 to assess how automatic exchange of information is working in practice

“A data breach has always been a risk, or even a likelihood, and we will see how governments respond to it,” said Michael Plowgian, a principal with the Washington National Tax practice of KPMG LLP, adding that governments take their data protection responsibilities seriously.

Certainly, the volume, frequency, and value of tax data that countries exchange mean that data breaches and leaks are inevitable, according to John L. Harrington of Dentons.

It’s crucial to create the strongest protections possible for the exchange, storage, and use of tax data, Harrington said. “But ultimately, that will only mean a reduction in, not elimination of, breaches and leaks,” he added.

It is quite difficult to protect data in this day and age, according to Kevin Packman of Holland & Knight. “The Bulgarian issue is going to heighten alarm bells across the globe,” Packman said. “There is a push for transparency by governments, and yet taxpayers need to know that their information will be held confidentially.”

CRS critics will likely point to the Bulgarian data leak as a reason to pause automatic information exchange, but the problem isn’t about the automatic transmission of tax data, according to Harrington. “I think the question, given the risks of hacks, is whether too much information is being collected and transmitted,” he said.

“Often tax agencies want as much information as possible, to search for that proverbial needle in a haystack,” Harrington added. “The result, of course, is that they wind up with a lot of hay that they don’t need and don’t know what to do with. But hackers do.”

Elodie Lamer contributed to this report.

Copy RID