Avalehe pilt
PBGB filed a new court case against Gemalto AG claiming contractual damages
11/06/2018


On Monday, 5th of November, the Estonian Police and Border Guard Board (PBGB) filed a lawsuit against Gemalto AG claiming contractual damages because Gemalto AG did not notify PBGB about the scurity vulnerability of the ID-cards last autumn. The security vulnerability affected 750 000 ID-cards. PBGB claims contractual damages for not notifying about the security vulnerability and overdues in the amount of around 300 000 euros.

PBGB is claiming contractual damages because Gemalto breached the contractual obligation to immediately notify about important information. . Gemalto did not notify the Estonian authorities about security weakness in Infineon chips used in documents produced by Gemalto. They also failed to notify PBGB about the findings of the Czech scientists, which, when published, could be used to attack the cards affected by the security weakness. Information about the security vulnerability of the ID-cards reached the Estonian authorities on 30th of August 2017, when the Czech scientists informed the Information System Authority (ISA). Gemalto notified PBGB only on 5th of September 2017 in response to the enquiry made on 4th of September and in a time when PBGB and ISA informed the public. The security vulnerability affected 750 000 ID-cards. To avoid malicious use of the security vulnerability, PBGB suspended the certificates of the affected documents on 3rd of November 2017.

"PBGB has taken a position that though Gemalto representative states the opposite, Gemalto did not notify the Estonian Police and Border Guard Board about the security vulnerability before the 5th of September 2017. According to the contract they should have done it immediately. We filed our first claim to Gemalto for not notifying PBGB already in September 2017, but unfortunately the contractor did not agree to pay the contractual damages out-of-court," said Krista Aas, the Deputy Director General of PBGB.

According to the Deputy Director General the present court case is only about one breach of many other breaches related to the same security vulnerability. PBGB will file different court cases about other breaches, because the issue is judicially and technically very complex.

On 26th of September, the Estonian Police and Border Guard Board filed a lawsuit against Gemalto AG to the Estonian Harju County Court due to the breach of contract that was related to violating the agreed security procedures for ID-card personalisation. PBGB claims contractual damages in the amount of 152 million euros. The breach of security requirements came public as a result of a cooperation with scientists. Expert analysis concluded that the contractor generated the private keys of more than 74 000 ID-cards outside its chip and did not inform the PBGB about it.

 
Back