On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting the digital use of Estonian ID cards. The possible vulnerability affects a total of almost 750,000 ID-cards issued starting from October 2014, including cards issued to e-residents. The ID-cards issued before 16 October 2014 use a different chip and are not affected. Mobile-IDs are also not impacted.
“According to Estonian experts’ current assessments, the security risk exists and we will continue testing the researchers’ claims,” said RIA director general Taimar Peterkop. “We have already worked out initial solutions for risk mitigation and are doing everything we can to ensure that the security of ID cards remains guaranteed.”
The RIA confirmed that no cases of identity theft have been reported. “Based on current information, the given security risk has not been realized and nobody’s digital identity has been abused with its help,” Peterkop said.
The Police and Border Guard Board has confirmed that ID cards will continue to be issued and remain in use. “The risk is great enough to take seriously, but not enough to cancel the cards,” noted Minister of Entrepreneurship and Information Technology Urve Palo.
Prime Minister Jüri Ratas said that this incident will not affect the course of the Estonian e-state. Estonian authorities have also confirmed that IT specialists will be able to eliminate the security risk, but that this will take time.
Early and online voting in this fall’s local government council elections is scheduled to begin on Oct. 5; the State Electoral Office will make a decision regarding the use of potentially affected ID cards for online voting in these elections.
This is exactly the sort of thing to worry about as ID systems become more prevalent and more centralized. Anyone want to place bets on whether a foreign country is going to try to hack the next Estonian election?