The Police and Border Guard Board (PPA) has submitted a statement of claim to the courts demanding a contractual penalty from Gemalto, the former manufacturer of electronic ID cards for Estonia, this time in the amount of €300,000.
The PPA on Monday submitted a statement of claim to the court demanding a contractual penalty from Gemalto as the company did not notify the PPA of the security risk affecting Estonian ID cards which was exposed late last summer. The security risk affected approximately 750,000 ID cards. In its statement of claim, the PPA is demanding from Gemalto a contractual penalty and fine for delay totalling approximately €300,000 for not informing them of the security risk, the PPA said.
The PPA is pursing the penalty because Gemalto violated the responsibility of immediately forwarding significant information as stipulated in its contract. The company did not notify the Estonian state about the security weakness affecting the Infineon chip used in the documents produced by the company for Estonia. They also failed to notify the state of the work of Czech researchers, the publication of which exposed the security weakness which could be used to attack the affected cards.
Information regarding the security weakness of the ID card reached the Estonian state only on 30 August 2017, when Czech researchers notified Estonia's Information System Authority (RIA) about it. Gemalto confirmed the existence of the security weakness to the PPA on 5 September, in response to an inquiry made by the police authority on 4 September, around the time the PPA and RIA informed the Estonian public of the security weakness. As mentioned, the weakness concerned approximately 750,000 valid ID cards, and in order to avoid the security weakness being taken advantage of, the PPA suspended the certificates of affected documents on 3 November.
"The PPA is of the opinion that regardless of the claims to the contrary made by representatives of Gemalto, the company did not notify the PPA of the security risk made public to them before 5 September 2017, even though according to the contract, they had the obligation to do so immediately," said PPA Deputy Director General Krista Aas. "We first submitted a claim to Gemalto for not informing us in September 2017 already, but unfortunately, the contract partner did not agree to settle the claim outside of court."
According to Aas, the statement of claim in question concerns only one of several violations concerning same security risk. The PPA is to submit separate statements of claim regarding various violations of the ID card contract as these are legally as well as technically very complex cases.
The PPA on 26 September filed a statement of claim seeking a contractual penalty of €152 million from Gemalto AG. The action was filed with Harju County Court in connection with a breach of contract by Gemalto AG involving the generation of electronic ID card private keys outside of the card's chip, which was disclosed this May. The breach of security requirements was revealed as a result of collaboration with researchers at the University of Tartu and an analysis by experts at the Estonian company AS Cybernetica, which revealed that the contractual partner generated the private keys of more than 74,000 ID cards outside the card's chip.
Beginning next year, Estonia's ID cards will be manufactured by the French company Idemia (formerly Oberthur).
Editor: Aili Vahtla