Police: 12,500 ID card certificates to be deleted due to security issue
The Police and Border Guard Board (PPA) announced on Thursday that they are replacing another 12,500 ID cards that don't meet safety standards. The certificates of the cards in question for their digital use will become invalid on June 1.
This latest batch of ID cards that show a risk in terms of data safety was issued between 2011 and Oct. 16, 2014. Though the total number of cards issued in that time period is over 74,000, only some 12,500 are still valid and in use.
The issue isn't connected with that of the 760,000 cards that were at risk after a flaw in their chips was found last year, as those were all issued after October 2014.
Among the cards that need to be replaced are residency permit cards as well, in particular those issued between 2011 and Dec. 17, 2014.
The State Information Systems Authority (RIA) discovered this latest security issue in cooperation with scientists of the University of Tartu. Last week it also received the results of an analysis carried out by experts at AS Cybernetica, the company that developed Estonia's X-Road and electronic voting systems.
According to the PPA, the producer of the cards didn't follow all of the security requirements and generated additional keys outside the chips themselves that could be used as proof of identity without needing the card or associated PIN numbers.
As Margus Arm, responsible for RIA's electronic ID department, told ERR on Thursday, Estonia generally follows the rule of only generating keys on individual card chips. In the case of the cards in question, keys were generated externally, which means that they could have been copied and could be applied without actually using the corresponding ID cards.
The producer of the cards is Gemalto, formerly Trüb Baltic. The PPA has already submitted a claim for Gemalto's failure to uphold the required security standards, though Gemalto is denying having made any mistake.
The PPA will notify holders of the affected cards through the Eesti.ee government portal. The certificates of the cards in question will be invalid starting June 1, after which only pre-existing Mobile ID services can be used. The cards will continue to be valid as physical proof of identity until replaced.
Due to conditions arising from current legislation, the PPA cannot issue entirely new cards valid for five years to replace the existing ones. Card holders can get a replacement card for free, but any such card will expire at the exact same date the faulty card would have expired.
Editor: Dario Cavegn