Bulgarian Posts will be Fined BGN 1 million

The Commission for the Protection of Personal Data (CPPD) has drawn up an act for one million BGN (EUR511,540) to "Bulgarian Posts". The act is about the fact that the company "failed to implement appropriate technical and organizational measures" before and during the cyber attack of April 16 of this year and so has allowed malware to encrypt sensitive databases. No sensitive data was leaked, but adequate technical and organizational measures were not implemented before and during the cyber attack. This was reported to BTA by the office of the resigned Deputy Prime Minister for Effective Management, Kalina Konstantinova.

In recent months, a thorough review of the CPPD’s personal data protection systems has been carried out, as well as the entire history of the severe cyber attack that caused millions of damages to Bulgarian Posts earlier this April. The investigation established that the then management neglected both the provision of adequate cyber security for the company, which operates with the personal data of millions of Bulgarians and acted irresponsibly on the very day of the attack. From the chronology of events, it is clear that the actions of the employees, who should have turned off the access to the Internet, were delayed by more than 12 hours. In the event that access to the global network was suspended in time, the damage would have been many times smaller.

"From May 9 to May 19, the CPPD team of experts conducted a full inspection of all servers and workstations of Bulgarian Posts. After diagnostics, it was found that the database backups were also encrypted, further complicating the situation. The backups of the information systems are stored on the same disk arrays as the corresponding production databases, which is absolutely unacceptable. The purpose of backups is to protect information in the event of an attack, and they should definitely be positioned in another secure location. It's like keeping your spare car key inside the car.

It is important to specify that the act was drawn up due to a lack of organizational and technical measures to protect users' personal data. People can be calm because it is clear from the researched traffic between April 1st and 16th that there is no leakage of personal data", commented the chairman of CPPD Vencislav Karadjov for BTA.

"The external attackers did not have direct physical contact with the information system of Bulgarian Posts, which suggests the use of some agents to penetrate it before carrying out the malicious actions," the report states. As a result of the unauthorized access, the ability to ensure the ongoing confidentiality, availability, integrity and resilience of the company's systems was compromised.

"On April 16, the old management of the post office established a breach in the systems, which later turned out to have been carried out as early as April 9. The activation of the virus coincides with surgical precision on the day that the Easter allowances start to be paid out to pensioners, and we have every reason to believe that the aim of the attack is to compromise and hinder this very campaign. I believe that the act of the CPLD is completely objective and fair, therefore we will not appeal its decision. In a legal, fair and developed European country, the decisions of independent institutions should be implemented, and not use deliberately created loopholes in the law that allow to appeal until the statute of limitations has expired. We have said more than once that no one can and should not feel unpunished", commented Kalina Konstantinova, the principal of Bulgarian Posts and resigned Deputy Prime Minister for Effective Management, for BTA.

“Bulgarian Posts takes seriously the act drawn up by the CPPD. From the first day of the new management, we have been working not just to resuscitate the company, but also to transform it into a secure, modern and digitized postal and administrative operator. The recommendations of the act are already taken into account, and the amount of the fine will be covered by future compensations and will not affect the current turnover of the enterprise”, the new executive director Bogdan Teofanidis also explained to BTA.

The digitization and modernization of post office branches is guaranteed by the investment of over BGN 101 million from the National Plan for Recovery and Sustainability. Some of them are specifically intended to ensure the information security of Bulgarian Posts by providing up-to-date software and hardware, secure external and internal security systems, as well as training employees to work with the new systems.

Follow Novinite.com on Twitter and Facebook

Write to us at editors@novinite.com

Информирайте се на Български - Novinite.bg

/Nova

We need your support so Novinite.com can keep delivering news and information about Bulgaria! Thank you!