Avalehe pilt
PBGB filed a court case against Gemalto AG due to a breach of contract

On Wednesday, 26th of September, the Estonian Police and Border Guard Board (PBGB) filed a lawsuit against Gemalto AG to the Estonian Harju County Court due to the breach of contract. The breach of contract took place from 2012 to 2017 and is about generating ID-card private keys outside its chip. The PBGB claims contractual damages in the amount of 152 million euros.

Yesterday the Estonian Police and Border Guard Board filed a lawsuit against an international security printing company and ID-document manufacturer Gemalto AG. Gemalto AG violated one of the core security principles of the Estonian ID-card and generated the ID-card private keys outside its chip. The breach of contract was made public in May 2018. The security breach was detected in cooperation with the scientists from University of Tartu. The violation was proved by the experts of AS Cybernetica who concluded in their analysis that the contractor to the Government of Estonia generated the private keys of certain ID-cards outside its chip.

"Estonia has set a clear security requirement that the private keys of the ID-card must always be generated on the chip of the ID-card, to ensure the security and integrity of the digital identity of the cardholder. This requirement provides us the certainty that the private keys are only on the chip and only the cardholder can use their digital identity. Unfortunately, it turned out that the card manufacturer has violated this requirement for years and we see it as a very severe breach of contract. The analysis of Cybernetica experts' showed clearly that such an infringement could only be a deliberate action of the card manufacturer," said Krista Aas, Deputy Director General of Police and Border Guard Board.

According to the Deputy Director General, over the course of the past year a number of very different and very serious violations of the ID-card contract have taken place. These violations include the security risk that was revealed last autumn, resulting in revocation of 750 000 Estonian ID-cards, and also the generation of private keys outside the chip that was made public in May this year. The Estonian Police and Border Guard Board intends to submit separate lawsuits for the various violations of the ID-card contract, as they are legally and technically very complex cases.

"This is a very specific field and we want to clearly determine each violation of the contract. Therefore, we decided to file separate claims for each violation. We decided to start with the lawsuit regarding the violation of the generation of private keys outside the chip, as it is the most serious violation for Estonia. In this case the contractual partner has knowingly violated the requirements set by the Estonian state and thus jeopardized the reliability of electronic identities and the credibility of the Estonian eID system," said Aas.

ID-cards with private keys generated outside the chip were issued from January 2011 to October 16, 2014, and resident permit cards from January 2011 until December 17, 2014, and were renewed at PPA Service Offices from July 2012 until July 2017. The total number of such cards was more than 74,000. On June 1st, 2018, due to this violation the certificates of 11 111 ID-cards and residence permit cards were revoked by the Estonian Police and Border Guard Board.