The Estonian government decided at a Cabinet meeting on Thursday night to suspend the certificates of Estonian ID cards vulnerable to a detected security risk on Friday night at midnight.
The government explained its decision at an emergency press conference called on Thursday night.
"I apologize before all of our citizens and people who have not been able to update their ID card certificates online yet due to the heavy load on the system," Prime Minister Jüri Ratas (Center) said at the press conference. "And I thank those who have patiently waited in Police and Border Guard Board (PPA) service points and understood that this is an exceptional situation."
Ratas explained that the Czech researchers who had initially discovered the security risk published their research in full this week, which increased the risk of the vulnerable ID cards being exploited to a critical level.
"Today's Cabinet meeting lasted over five hours," said the prime minister. "As a result of this debate, we decided to support the PPA's application to suspend the certificates of at-risk ID cards beginning Friday night at midnight. There are nearly 760,000 at-risk ID cards. This was the only conceivable decision in order to protect people's data. This will mean inconveniences, but this decision was not made lightly. But we must protect our people, businesses and e-state."
In an interview with ETV news broadcast "Aktuaalne kaamera," Ratas affirmed that the saga of Estonia's e-state will continue and become even stronger. Asked when the issue will be resolved, Ratas responded that he hoped that a definitive solution will be found by March 31, 2018. At the same time, he was convinced that they can be sure by Saturday already that not a single case of identity theft has occurred.
According to the prime minister, this is the largest potential security risk that Estonia has yet faced in connection to its national ID cards.
Related malware already available
Information System Authority (RIA) Director General Taimar Peterkop likewise confirmed that the threat assessment had changed after the research published by the Czech researchers on Monday revealed that the security flaw affecting Estonian ID cards is easier to exploit than previously believed.
"According to our information, there is also malware available as of today to exploit this flaw," Peterkop said. "As far as we know, this has not yet been done, and we also do not know if this malware works." He noted, however, that it nonetheless turned the risk of the realization of this threat into reality.
The RIA director general noted that in Slovakia, the hacking of ID cards became a sort of national sport after local hackers promised a reward for the hacking of the ID card of the Minister of the Interior, although he added that nobody had successfully done so thus far.
Peterkop said that the RIA had developed a way to bypass the security flaw, but unfortunately not all ID card holders were able patch their cards before the risk of the realization of the threat became reality.
He noted, however, that the risk affecting ID cards is not exclusive to Estonia, but rather a global issue. "The way Estonia has chosen to resolve the issue has been highlighted as an example for many others," he added.
Peterkop also confirmed that the malware developed to exploit the security flaw was not developed to target Estonia specifically.
The closing of the affected ID card certificates will affect 760,000 card holders. As of Thursday night, nearly 40,000 people had successfully renewed their ID card certificates either remotely or at PPA service points.
Editor: Aili Vahtla