Estonia, EU – Baltic States, Legislation, Technology

International Internet Magazine. Baltic States news & analytics Sunday, 21.07.2019, 20:23

Estonian police authority seeking 300,000 euros more from Gemalto for untimely notification

BC, Tallinn, 06.11.2018.Print version
The Estonian Police and Border Guard Board has submitted a statement of claim to the court for demanding a contractual penalty from Gemalto, the manufacturer of the electronic ID-cards for Estonia, while the volume of the claim this time is 300,000 euros, informs LETA/BNS.

The Police and Border Guard Board on Monday submitted a statement of claim to the court for demanding a contractual penalty from Gemalto because the company did not notify the Police and Border Guard Board of the ID-card security risk that became known in fall last year. The security risk concerned approximately 750,000 ID-cards. In the statement of claim, the Police and Border Guard is demanding from Gemalto a contractual penalty and fine for delay totaling approximately 300,000 euros for not informing of the security risk, the Police and Border Guard Board said.


The police authority is seeking the contractual penalty because Gemalto violated the responsibility of immediately forwarding significant information that was stipulated in the contract. The company did not notify the state of Estonia about the security weakness of the Infineon chip used in the documents produced by Gemalto. They also did not notify the state of the work of the Czech researchers, during the publication of which the security weakness could be used for attacking the card, the Police and Border Guard Board added.


Information regarding the security weakness of the ID-card reached the state of Estonia only on Aug. 30, 2017, when the Czech researchers notified the Estonian Information System Authority (RIA). Gemalto confirmed the existence of the security weakness to the Police and Border Guard Board only on Sept. 5 in response to an inquiry made by the police authority on Sept. 4 and during the time that the Police and Border Guard Board and RIA informed the Estonian public of the security weakness. The weakness concerned approximately 750,000 valid ID-cards and in order to avoid the security weakness being taken advantage of, the Police and Border Guard Board suspended the certificates of those documents on Nov. 3, 2017.


"The Police and Border Guard Board is of the opinion that regardless of the claims to the contrary made by representatives of Gemalto, the company did not notify the Police and Border Guard Board of the security risk made public to them before Sept. 5, 2017, even though according to the contract, they had the obligation to do it immediately. We first submitted a claim to Gemalto for not informing us already in September 2017, but unfortunately, the contract partner did not agree to fulfill the penalty claim outside the court," Krista Aas, deputy director general of the Police and Border Guard Board, said.


Aas said that the statement of claim in question concerns only one of several violations to do with the same security risk. The Police and Border Guard Board is to submit separate statements of claim regarding various violations of the ID-card contract as these are legally as well as technically very complex cases.


The Estonian Police and Border Guard Board on Sept. 26 filed a statement of claim by which it seeks a contractual penalty of 152 mln euros from Gemalto AG. The action was filed with the Harju County Court in connection with a breach of contract by Gemalto AG that has to do with the generating of electronic ID-card private keys outside the card's chip, which was disclosed in May this year. The breach of security requirements was revealed as a result of collaboration with researchers at the University of Tartu and an analysis by experts at the Estonian company AS Cybernetica, which revealed that the contractual partner generated the private keys of more than 74,000 ID-cards outside the card's chip.

 

 






Search site