Industry News

Estonia deals with massive security flaw in digital ID cards

Estonians were not allowed to use online government services for an entire weekend, as efforts were made to fix a security flaw in the chip encryption of the national identity cards, writes the BBC. The security flaw was detected by researchers in September who warned the government about possible identity theft risks.

“[The] danger of the security threat becoming real was increased by the fact that it was not a flaw of the Estonian ID card alone, but also included cards and computer systems around the world that use the chips by the same producer,” said Kaspar Korjus, managing director for the e-resident program.

“This brought the safety flaw to the attention of international cybercrime networks which had significant means to take advantage of the situation.”

This was a huge problem, as the digital ID system is used by Estonian citizens and residents to access all important public and private services, including online government services, medical records, online banking and voting systems.

760,000 Estonians, almost half of the country’s population, were affected earlier this year by the security flaw which could have permitted hackers access to private data and citizen impersonation.

“As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real,” said the country’s Prime Minister Juri Ratas.

“The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card.”

ID cards issued between October 2014 and October 25th, 2017 will be blocked until the security certificates are updated. Users are to update the security certificates by March 2018. To avoid error messages and a system crash, updates for the digital ID cards are performed based on priority: medical professionals and frequent users first.

“We are aware that many citizens, residents and e-residents have been receiving error messages due to the high volume of people updating at the same time,” Korjus said.

“As a result, the ability to update certificates was temporarily restricted last weekend in order to prioritize people who use their digital ID cards to provide vital services, such as medical professionals inside Estonia, as well as the most frequent users, which will include e-residents that will be notified by email.”

About the author


From a young age, Luana knew she wanted to become a writer. After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats. Luana is a supporter of women in tech and has a passion for entrepreneurship, technology, and startup culture.