“We want a public apology in connection with the false claim that the Information System Authority (RIA) was notified about the ID card security risk,” Kirch told journalists on Friday. We have received a letter from Gemalto saying that it is not their public position, but we haven’t received a public apology.”
Kirch added that lawyers are currently drawing up a legal position regarding the amount of damages Estonia will demand from Gemalto.
The Estonian government, the RIA and the Police and Border Guard Board (PPA) announced to the public at the beginning of September that Czech researchers had identified a security flaw in the chip used in hundreds of thousands of electronic ID cards issued in Estonia.
On Thursday, Nov. 2, the Estonian government decided at a Cabinet meeting to suspend the certificates of Estonian ID cards vulnerable to a detected security risk, which numbered approximately 800,000 in total, at midnight the next night.
Prime Minister Jüri Ratas explained at a government press conference that evening that the Czech researchers who had initially discovered the security risk affecting all ID cards issued in Estonia beginning Oct. 16, 2014, including national IDs and the ID cards issued to Estonian e-residents, had published their research in full that week, which increased the risk of the vulnerable ID cards being exploited to a critical level.
Andreas Lehmann, director of Gemalto representative Trüb Baltic AS, wrote on LinkedIn in November that he had informed the PPA and RIA of the vulnerability affecting the ID cards on June 15 already. He claimed that Estonian authorities opted not to draw attention to the information at the time as the summer vacation period was about to begin.
All active ID card users updated
As of Friday morning, more than 310,000 people have updated the security certificates of their affected ID cards, including 240,000 remotely and 70,000 in person at PPA service points, the RIA said.
According to RIA e-ID domain director Margus Arm, all active users of ID cards have updated their certificates by now.