What should I do if the enquiry shows that my personal data has been illegally disclosed?

Dear clients,

If you have made an enquiry and it shows that your personal data has been unlawfully disclosed, it is important for you to know that you do not need to take extraordinary action.

You do not need to change your identity documents.

There is no immediate risk that someone will dispose of your property or assume obligations on your behalf because of the unlawfully disclosed data. This has been confirmed by the Chamber of Notaries, the banks, the fast loans and leasing companies, and the Registry Agency.

We advise you to be cautious when contacted by telephone or by e-mail and give no financial information to anyone.  

For further security, you can change the password of your email account and the NRA generated personal identification code (PIC).

What concrete data on me have been leaked?

It is important to know that the unlawfully disclosed data is partial and does not allow for anyone to navigate through your overall assets.    

We are currently comparing the illegally disclosed tax and social security information with that in our real databases, in order to check whether published data has been supplemented or tempered with.  

Once we have done this, we will also be able to provide information on the specific type of data that has been disclosed.

Until then, it is sufficient to read the NRA’s recommendations in relation to personal data at


NRA: We are currently comparing the unlawfully disseminated information with the real databases

Most of the disclosed information concerns 189 persons, the revenue agency will contact them personally.

There is no need for nearly 4 million Bulgarians whose data has been unlawfully disclosed to change their identity documents. Practical advice for them will be published on NRA’s website by the end of day on 24.07.2019.

After further inspections, it was found that the last week illegally disseminated data of 189 persons  included a combination of names, Personal Identification Number, address, number, validity and issuer of a valid ID card. For these citizens there is a greater risk of potential abuse and they will be personally informed by the National Revenue Agency immediately by telephone or e-mail.

The NRA reports that the application for verification of illegally distributed personal data will work by means of Personal Identification Number and will send the results of the data processing to a mobile phone number introduced by the user. The check will be one-off – for one person only and will only answer whether there has been unlawfully disclosed information. This is necessary to ensure that there will be no misuse of personal data, NRA complements.

The Agency is currently comparing the unlawfully disseminated tax and social security information with the information in the real databases to check whether there is overwriting or manipulation, the revenue authority announced. After completion of the inspections, the Agency will be able to provide persons with additional information about the particular type of data that has been disseminated.

General Information

Updated on 9 August 2019

On 15 July 2019, it was found that there had been an unauthorized access to about 3% of the information contained in NRA’s databases. 

Which natural persons have been affected? 

Information about 5.1 million Bulgarian citizens has been affected, about 4 million of them being actual citizens, the others are deceased.  

What information about natural persons and legal entities has become available?

Personal data and tax and social security information about domestic and foreign individuals and legal entities have been unlawfully leaked.

It is important to know that this is not all the information available to the National Revenue Agency for a specific natural or legal person, but only partial information, which needs further processing in order to be used. Nevertheless, sensitive data for many Bulgarian and foreign persons has become publicly available.  

The unlawfully distributed information may contain any of the following data: 

  • Names, Personal Identification Numbers and addresses of Bulgarian natural persons
  • Names, identification number, date of birth, address of foreign nationals
  • Telephone numbers, e-mail addresses

Tax and social security information, such as:

  • Data from annual tax returns of natural persons
  • Data from records of income received by natural persons
  • Data from social security declarations
  • Data regarding health insurance status (Important! This concerns social security contributions and not medical status or information on treatment of natural persons)
  • Data regarding issued acts of administrative violations
  • Data regarding tax and social security payments made via Bulgarian Posts EAD
  • Data from VAT refund requests paid in another EU Member State

    Data from the international automatic tax information exchange regarding Bulgarian and foreign persons

  • Data received at NRA ex officio from other institutions, such as the Customs Agency, the Employment Agency, the Social Assistance Agency, the NHIF, etc. 

How do I find out if my data has been leaked?

The application where you will be able to check whether your personal data has been leaked is available at  For security reasons, the information in the app is accessible after entering the Personal Identification Number and a single-use code sent to the telephone number indicated in the request.  

What measures has the National Revenue Agency undertaken?


  • The persons concerned at the NRA and the data protection officer have been notified; 
  • The Commission for Personal Data Protection has been informed;
  • Law enforcement authorities, including the State Agency for National Security (SANS), the General Directorate Combating Organized Crime (GDCOC), the National Centre for Incident Response in Information Security (CERT), the State e-Government Agency (SEGA), have been notified;
  • The Prosecutor’s Office of the Republic of Bulgaria has been notified;
  • A vulnerability overview of all NRA services accessible via the Internet has been conducted;
  • The access to services, for which a vulnerability has been identified, has been restricted or suspended;
  • A full audit of NRA’s IT systems by an independent external organization has been commissioned and is currently underway;
  • Meetings with the Association of Commercial Banks, the Chamber of Notaries, the Ministry of the Interior, the Registry Agency and other government agencies and industry organizations have been held in order to protect the interests of citizens;
  • All public authorities, institutions and organizations providing public services, with which the NRA has established partnership relations, have been notified;
  • Bulgaria’s international partners in the tax area and the European Commission have been notified

We assure you that the Agency has taken all the necessary measures to ensure that the security of its information systems is improved. We reiterate our apologies for the situation created.