Frequently asked questions about the unauthorized access to NRA data (24 July 2019):
1. How can I check if my personal data has been unlawfully disclosed?
You can check the new electronic service, which will be published on the NRA’s website, as soon as the experts compare whether the published data has been tampered with.
Citizens whose valid identity card numbers, issuing date and validity have been unlawfully disclosed, in combination with their three names, personal identity number and address, will be personally informed by the NRA as soon as possible.
The total number of these citizens is 189.
Any other natural persons, whose personal data has been made available illegally, do not need to change their identity cards.
2. Can anyone sell my property or car without my knowledge?
It is mandatory for sales of property and cars in Bulgaria to take place in a notary form and for signatures to be authenticated by a notary. The procedure requires the involvement of a notary who has real-time access to a database of identity documents in the country, including photographs of their holders.
The notary can and must ensure that the purchaser and the seller who appear before him/her are the same persons from the database of the primary registers of the Republic of Bulgaria, i.e. the notary verifies the identity of the parties. Notaries also have access to a computer database of powers of attorney issued to the banks and the Registry Agency, as well as access to the database of motor vehicles and their owners.
Even if someone had knowledge of your personal data, in order to sell a property or a car, they would have to commit one or more offences.
In addition, the sale of property and motor vehicles must be subject to the presentation of a notary deed or a registration certificate, the validity of which must be verified in real time, and without these, no transaction may be carried out.
NRA has informed the Chamber of Notaries of the Republic of Bulgaria about the leakage of sensitive information, and notaries will operate with utmost care.
According to the Chamber of Notaries, there are sufficient guarantees that attempts to illegally transfer a property or a vehicle willF be countered by notaries across the country.
For the sake of calm, you may enable SMS notifications of transactions involving your property, a service provided by the Registry Agency at http://sms-imot.registryagency.bg/. The Registry Agency also offers SMS notification of movements under company accounts, and you can find further information on their website.
3. Is it possible for anyone to obtain a loan or a lease on my behalf?
Banks and financial institutions granting loans or leases are obliged by law to make sure that they enter into contract with the person whose personal data is specified in the identity document. The granting of a loan/lease to someone else requires the commission of one or more offences, apart from the misuse of other people’s personal data.
Banks and financial institutions granting loans (including rapid loans) and leases have been informed by the NRA of the unauthorized access to data and have been advised to pay increased attention when identifying their clients.
The Association of Banks in Bulgaria stated that there are currently sufficient and reliable mechanisms in place to establish the identity of persons applying for bank loans.
The Bulgarian Leasing Association confirms that their members carry out both compulsory document identification and personal identification of each customer so that the conclusion of or changes to a leasing contract cannot happen without personal presence or proper electronic identification with a valid electronic certificate.
The Association for Responsible Non-Bank Lending, consisting of companies in the ‘rapid loan’ sector, assures that currently, the members of the Association implement a significant number of credible measures to verify the identity of new and active borrowers, so that the abuse of personal data would not be possible.
Even if the prior approval for a loan/lease takes place online, it is mandatory to enter into a written contract signed on paper or electronically by the parties. The financial institution must ensure that the person whose identity document data is entered in the contract is the same person as the person who signs the contract.
There is no risk of unauthorized access to e-banking for such data has never been stored in the NRA.
4. Is there any risk for transactions concluded with power of attorney because of the unlawfully disclosed data?
In power of attorney transactions, one or more of the parties does not participate in person. Property and car transactions must be concluded by a notarized power of attorney, that is to say, the power of attorney is signed and stamped by a notary and registered in the notary’s books, after having ascertained in person that the person actually authorized to do so is the person whose data is entered in the document. All other notaries have access to a computer database of issued powers of attorney and can check whether each document is genuine.
5. Is it possible to transfer an indebted company in my name?
Such an attempt would be accompanied by the commission of one or more offences. Transactions in whole businesses or shares of commercial companies require a notary’s certification and a written contract. In the case of a sale of a whole enterprise, a certificate from the National Revenue Agency is also required. The Bulgarian Chamber of Notaries has been informed by the NRA of the leak of sensitive data, transactions in the coming months will be carried out with increased attention, and notaries have access to all the powers of attorney issued to the Registry Agency.
6. Is there any risk for my diseases or medical history and treatment data to become publicly available?
No. The information of NRA, which has been unlawfully disclosed, concerns the health insurance status of citizens, i.e. whether health insurance contributions have been paid. The data from your medical file has not been collected by the NRA and were not disclosed, this information is protected.
7. Does unlawfully disclosed data include information concerning my NRA personal identification code (PIC)?
Unlawfully disclosed data currently does not include any information about personal identification codes issued by the NRA.
However, we recommend that you change your NRA PIC. You can do this free of charge on the e-services portal of the Revenue Agency at https://inetdec.nra.bg/eservices.html or in any NRA office you might choose.
8. Has information about my e-signature been leaked and is it possible to abuse it?
No. The electronic signature of a natural or legal person is password protected and, in addition, requires access to a physical medium (most often on a USB stick). Your electronic signature is not at risk because of the unlawfully disclosed NRA data.
9. General recommendations
- Be careful if contacted by telephone or e-mail and, as a result, asked to do something of a financial or personal nature.
- Do not give details of bank accounts, debit or credit cards, regardless of who the person to contact you say they are.
- Give a heads up to your family and relatives that personal data about you have become publicly available and advise them never to do something with financial consequences, unless they have previously contacted you directly.
- For the sake of your additional security, you can change the passwords of the email account you use.
- If there are any indications that someone attempts to illegally acquire your property or enter into an obligation on your behalf, contact the competent police office headquarters in your place of residence without any delay.
- Further information on questions regarding the unlawfully disclosed data can be obtained from the NRA by phone on 0700 18 700 (standard fixed line urban call rate and standard mobile operator rates apply).