HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Bulgaria Licenses Surveillance Firm Circles to Supply Repressive Regimes, Raising Vendor‑Risk Concerns

Human Rights Watch found Bulgarian export licences that let surveillance vendor Circles sell phone‑location and interception tools to ten authoritarian governments. The episode underscores the need for SOC 2 vendor‑risk due‑diligence and continuous audit evidence around export‑control compliance.

LiveThreat™ Intelligence · 📅 June 19, 2026· 📰 therecord.media
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
2 recommended
📰
Source
therecord.media

Bulgaria’s Export Licenses Enable Surveillance Firm Circles to Supply Repressive Regimes

What Happened — Human Rights Watch obtained Bulgarian export‑licensing records (2018‑2023) showing that the surveillance‑technology vendor Circles was granted licences to sell phone‑location, conversation‑interception and web‑monitoring tools to law‑enforcement and intelligence agencies in at least ten countries with documented records of repressing dissent.

Why It Matters for Compliance & Audit Readiness

  • The scenario highlights a classic vendor‑risk gap: organizations that rely on third‑party surveillance or analytics tools may inadvertently become complicit in human‑rights violations if they do not verify export‑control compliance.
  • SOC 2’s CC6.1 – Vendor Management requires documented due‑diligence, continuous monitoring, and evidence that vendors adhere to legal and ethical standards; the Circles case shows why that evidence must include export‑control and human‑rights assessments.
  • Continuous‑compliance platforms can capture licensing decisions, audit‑ready logs, and remediation steps, providing defensible proof for auditors and regulators.

Who Is Affected — Surveillance‑technology vendors, their downstream customers (government agencies, telecom operators, security‑service providers), and any enterprise that integrates such tools into its security stack.

Recommended Actions

  • Conduct a SOC 2 vendor‑risk assessment of any surveillance or analytics provider, explicitly checking export‑control licences and human‑rights due‑diligence documentation.
  • Map the findings to CC6.1 controls, collect licensing records as audit evidence, and set up continuous monitoring alerts for changes in export‑license status.
  • If gaps are identified, require the vendor to provide remediation plans or consider alternative solutions with stronger compliance postures.

Source: The Record – Bulgaria allowed surveillance tech firm to sell products to repressive regimes

Technical Notes

  • Export licences were issued by Bulgaria’s Ministry of Economy and Industry for dual‑use surveillance equipment.
  • Targeted regimes: El Salvador, UAE, Serbia, Azerbaijan, Guatemala, Bahrain, Jordan, Malaysia, Morocco, Panama.
  • The EU’s dual‑use export‑control framework is intended to block such sales, but the licensing records suggest limited human‑rights due‑diligence.

Source: same as above

📰 Original Source
https://therecord.media/bulgaria-allowed-surveillance-tech-firm-to-sell-to-repressive-regimes-report

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →