According to a local cyber-security researcher, most adults in the country of seven million people are likely to have had some data compromised.
Bulgarian authorities have arrested a 20-year-old man on suspicion of involvement in the attack.
Among the stolen data were names, addresses and even some details of personal income, local media reported.
The tax agency now faces a fine of up to 20 million euros (£18m), a representative of the Commission for Personal Data Protection said.
“It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised,” said cyber-security researcher Vesselin Bontchev, assistant professor at the Bulgarian Academy of Sciences.
The hack occurred in June but an email purportedly from one of the culprits was sent to Bulgarian media on Monday.
It derided the government’s cyber-security standards as “a parody”
The email also contained an offer of access to the stolen data and said the trove contained information on more than five million people, as well as businesses.
Bulgarian police have said that while they have arrested and charged one man in connection with the incident, they are examining the possibility that others were involved.
The country’s finance minister, Vladislav Goranov, has apologised in parliament for the breach.
Mr Goranov said anyone who attempted to exploit the data “would fall under the impact of Bulgarian law”.