RIA representative: Lehmann hinted at ID card flaw, but hints were vague
Margus Arm, eID domain manager at Estonia's Information System Authority (RIA) has admitted that he had spoken to Trüb Baltic AS CEO Andreas Lehmann on the phone on June 15, but claimed the latter's hints were so vague that they could not be considered information regarding a cyber incident or ID card security risk.
"In our phone conversation, Andreas Lehmann gave very vague hints; they could not possibly be considered information regarding a cyber incident or ID card security risk," Arm told daily Õhtuleht (link in Estonian). "He used wording like 'may be a problem.' In response to clarifying questions, the only clarification was that they did not know yet, they'd look into it and let us know."
According to Arm, he asked Lehmann again a week later whether he had any new information, but there was none. Lehmann's explanation did not contain a single specific fact which would have hinted at the flaw contained in the major manufacturer's chip.
On June 15, a regular meeting was also held at the Police and Border Guard Board (PPA) regarding the fulfillment of ID card and passport production contracts. Lehmann was present at the meeting, however according to a PPA spokesperson, he had not said anything about an ID card-related security risk then either.
Andreas Lehmann, director of Trüb Baltic AS, which represents ID card producer Gemalto, claimed on Wednesday that he had informed Estonian state authorities of the security flaw affecting hundreds of thousands of Estonian ID cards on June 15 already. Estonian authorities, however, maintain that they were first informed of the flaw by Czech researchers late on the night of Aug. 30, after which they reached out to Gemalto themselves.
In an interview with ERR's online news portal, RIA Director General Taimar Peterkop claimed Lehmann's story was a lie, confirming that "We have not received anything either verbally or in writing."
Certificates suspended in early November
On Thursday, Nov. 2, the Estonian government decided at a Cabinet meeting to suspend the certificates of Estonian ID cards vulnerable to a detected security risk, which numbered approximately 800,000 in total, at midnight the next night.
Prime Minister Jüri Ratas explained at a government press conference that evening that the Czech researchers who had initially discovered the security risk affecting all ID cards issued in Estonia beginning Oct. 16, 2014, including national IDs and the ID cards issued to Estonian e-residents, had published their research in full that week, which increased the risk of the vulnerable ID cards being exploited to a critical level.
ID cards issued prior to Oct. 16, 2014 used a different kind of chip and are not affected by the current risk; also unaffected are ID cards issued beginning at the end of last month.
According to the RIA, more than 272,000 people had updated their certificates by late Monday evening.
Editor: Aili Vahtla