OECD, 30 August 2019 – The information technology system of the National Revenue Agency (NRA) of Bulgaria was hacked and a significant amount of its data was provided to the media on 15 July 2019. Bulgaria subsequently confirmed that this data was from NRA systems and that it included data automatically exchanged with international treaty partners under the Common Reporting Standard (CRS) Multilateral Competent Authority Agreement and the EU Directive on Administrative Cooperation.
Immediately upon becoming aware of the breach, the Global Forum on Tax Transparency and Exchange of Information for Tax Purposes suspended exchanges with respect to Bulgaria and assembled a team of data security experts who are currently assessing the situation on the ground in Bulgaria. All jurisdictions’ obligations to automatically send data to Bulgaria will remain suspended until a satisfactory review has been concluded and the deficiencies identified have been addressed.
All jurisdictions participating in automatic exchange of information (AEOI) in tax matters, including via the CRS, are required to comply with international data security standards before any information is sent to them. The Global Forum has a multilateral process to assess jurisdictions’ data security arrangements, which is intended to ensure compliance with the standards. Nevertheless, the possibility of data breaches within organisations can never be entirely eliminated.
The Global Forum’s process therefore also includes a mechanism to assess and respond to breaches. This mechanism was accordingly activated when the Global Forum Secretariat became aware of the Bulgarian breach and its international exchange partners are being kept informed.
Since the breach, Bulgaria has worked constructively and proactively with relevant domestic authorities, the Global Forum and its international exchange partners to contain, investigate and address the situation. This has included actions to significantly improve the NRA’s internal security arrangements. The NRA has been working with its partner tax administrations with a view to notifying persons whose data were affected in line with relevant legal obligations. The Global Forum Secretariat is appreciative of the open and constructive approach Bulgaria has taken.
It is important to note that the breach was not linked to the OECD Common Transmission System, which continues to ensure the security of information exchanges between tax authorities. Furthermore, any lessons learned will be incorporated into and strengthen the Global Forum’s ongoing assurance process with respect to all jurisdictions automatically exchanging information.
The CRS (and all other exchange standards) includes extensive requirements in relation to safeguarding of the information exchanged, including the actions to take in the event of a data breach. The Global Forum’s multilateral assessment process seeks to ensure that these requirements are met. This includes: (i) a pre‑exchange assessment of each jurisdiction to ensure that all tax administrations intending to participate in AEOI have data security arrangements aligned with international security standards in place before they can receive information; and (ii) a post-exchange assessment that assesses the AEOI systems after they have been implemented and information has been received, and ensures the standards are implemented on an ongoing basis in response to evolving data security threats. Some jurisdictions have been required to implement an action plan to address issues identified before a satisfactory assessment has been concluded and information can be received. Assistance is provided to jurisdictions where needed to close the gaps identified.