Estonia, EU – Baltic States, Legislation, Technology
International Internet Magazine. Baltic States news & analytics
Friday, 29.03.2024, 02:00
Estonian police authority seeking 300,000 euros more from Gemalto for untimely notification
The Police and Border Guard Board on Monday submitted a statement of
claim to the court for demanding a contractual penalty from Gemalto because the company did not
notify the Police and Border Guard Board of the ID-card security risk that
became known in fall last year. The security risk concerned approximately
750,000 ID-cards. In the statement of claim, the Police and Border Guard is
demanding from Gemalto a contractual
penalty and fine for delay totaling approximately 300,000 euros for not
informing of the security risk, the Police and Border Guard Board said.
The police authority is seeking the contractual penalty because Gemalto violated the responsibility of
immediately forwarding significant information that was stipulated in the
contract. The company did not notify the state of Estonia about the security
weakness of the Infineon chip used in the documents produced by Gemalto. They also did not notify the
state of the work of the Czech researchers, during the publication of which the
security weakness could be used for attacking the card, the Police and Border
Guard Board added.
Information regarding the security weakness of the ID-card reached the
state of Estonia only on Aug. 30, 2017, when the Czech researchers notified
the Estonian Information System Authority (RIA). Gemalto confirmed the existence of the security weakness to the
Police and Border Guard Board only on Sept. 5 in response to an inquiry made by
the police authority on Sept. 4 and during the time that the Police and Border
Guard Board and RIA informed the Estonian public of the security weakness. The
weakness concerned approximately 750,000 valid ID-cards and in order to avoid
the security weakness being taken advantage of, the Police and Border Guard
Board suspended the certificates of those documents on Nov. 3, 2017.
"The Police and Border Guard Board is of the opinion that regardless
of the claims to the contrary made by representatives of Gemalto, the company did not notify the Police and Border Guard
Board of the security risk made public to them before Sept. 5, 2017, even
though according to the contract, they had the obligation to do it immediately.
We first submitted a claim to Gemalto
for not informing us already in September 2017, but unfortunately, the contract
partner did not agree to fulfill the penalty claim outside the court," Krista
Aas, deputy director general of the Police and Border Guard Board,
said.
Aas said that the statement of claim in question concerns only
one of several violations to do with the same security risk. The Police
and Border Guard Board is to submit separate statements of claim regarding
various violations of the ID-card contract as these are legally as well as
technically very complex cases.
The Estonian Police and Border Guard Board on Sept. 26 filed
a statement of claim by which it seeks a contractual penalty of 152 mln
euros from Gemalto AG. The
action was filed with the Harju County Court in connection with a breach of
contract by Gemalto AG that has to do
with the generating of electronic ID-card private keys outside the card's chip,
which was disclosed in May this year. The breach of security requirements
was revealed as a result of collaboration with researchers at the University of
Tartu and an analysis by experts at the Estonian company AS Cybernetica, which revealed that the contractual partner
generated the private keys of more than 74,000 ID-cards outside the card's
chip.