Bulgarian prosecutors have indicted two men on terrorism-related charges following an enormous data breach earlier this month that compromised the financial records of almost every adult in the country.
The two men, Georgi Yankov and Kristian Boykov, work at US cybersecurity company Tad Group, which houses its corporate headquarters in Bulgaria's capital Sofia.
Speaking to Reuters, lawyer Georgi Stefanov said his clients had been released from custody after being charged and had denied any wrongdoing.
He added: "We are very surprised with these charges. How do you charge someone with terrorism and let them go?"
Prosecutors were not immediately available for comment.
Boykov, 20, was originally facing charges of crime against information systems, but this was later changed to a cyber-terrorism charge.
He has been banned from leaving the country.
Analysis into decrypted data from one of his computers led investigators to believe that he had stolen tax agency data, before posing as a Russian hacker in an email to local media offering up such data.
It was later posted online.
Investigators said they believe Boykov was not working alone and were looking for others in connection with the attack.
Georgi Yankov, a manager at Tad Group, was later arrested after a police raid at the company's offices on Tuesday.
The tax agency where the data was stolen is now facing a fine of up to €20 million for the breach on around 3% of its database.
There are just over 7 million people living in Bulgaria — the data of more than 4 million people in the country was compromised, meaning almost every adult in the population was affected.
According to financial newspaper Capital, the leaked data also included files from the EU's anti-fraud network EUROFISC, which allows national tax administrations to share information on fraudulent activities and combat organised VAT fraud.
On Wednesday, the tax agency said it would contact 189 Bulgarians whose full names, personal identification numbers, addresses and ID card details were among the leaked data.
The more than four million Bulgarians affected by the breach do not need to change their ID cards, the agency said.
The agency has informed notaries, banks and credit lenders in the Balkan country over the data breach and urged them to be extra vigilant in approving property deals or extending loans.