Bulgaria’s National Revenue Agency was breached sometime in June, but the exact attack window is still unclear. It appears that the agency was not aware of it until the attacker sent a taunting email to various news outlets on July 15, declaring that “The state of your cybersecurity is a parody”. A claim of responsibility came from a Russian Yandex email address, though one does not necessarily have to be in Russia to set one of those up.
While government agencies are just as subject to GDPR rules as anyone else, the actual consequences for them differ. Fines for GDPR violations are generally issued internally by each country’s Data Protection Authority (DPA), which has some leeway to set its own terms...