14 DAY TRIAL // As reported by multiple Estonian news outlets, Estonia's Police and Border Guard Board (PPA) sued Gemalto for €152 million ($178 million) because of a security risk in the electronic ID cards the company provides to the Estonian state.
Last year, the Police and Border Guard Board (PPA) found out that the electronic ID cards issued by Gemalto to the Estonian state can be compromised using the ROCA (short for Return of Coppersmith's attack) vulnerability.
After Gemalto issued a recall of all vulnerable eID cards, the PPA now wants to recover €152 million ($178 million) in damages after registering a claim with the Harju County Court on Thursday.
The Estonian electronic ID cards issued by Gemalto are used for digitally signing documents and online voting, among many other things, which makes the security issue quite severe.
According to a statement from Gemalto, the company "cannot be held responsible in any way for this solution, as it has constantly negotiated for the conclusion of a peaceful compromise agreement in extreme confidentiality and good faith. Thus Gemalto deeply regrets the PPA's new approach to take the matter to court."
PPA announced the release of a new, more secure eID card
Gemalto also said in their press released that the claim the Estonian PPA made in court is disproportionate to the damage, especially taking into account PPA's proposal in a deal the two parties were negotiating.
The PPA also announced after making the €152 million claim that they introduced a new version of ID card with more security elements and a contactless interface, which will start being deployed beginning with 2019.
The new eID card comes with QR code support for quick and easy validity checks, as well as support for a variety of e-services such as digital signatures, authentication, and digital transport tickets, some of them compatible with the contactless interface and some of them only with the contact chip.
"When using the contactless interface, one must first and foremost proceed securely, and this must be done in such a manner which prevents data from the card being accessed without the card-holder's knowledge," said Margus Arm, head of the eID Department at the Information System Authority (RIA).