Fresh security fears were last night raised about the Franco-Dutch firm chosen to make Britain’s post-Brexit passports.
Gemalto, the Government’s preferred bidder, was revealed to have supplied Estonia with as many as 750,000 ID cards with security flaws.
Experts suggested the company could be linked to millions of cards vulnerable to cloning and identity theft, sold across Europe, including to at least one government and several private businesses.
The cards were said to contain chips and software sourced by Gemalto from a German firm.
Under the Home Office deal, it is thought Gemalto will also be responsible for sourcing the biometric chips for British passports.
Fresh security fears were last night raised about the Franco-Dutch firm chosen to make Britain’s post-Brexit passports (pictured)
MPs said the revelations raised further questions about whether the company could be trusted to deliver Britain’s new blue travel documents.
British bidder De La Rue believes it came out ahead of its foreign rival on both quality and security – and was undercut only on price.
It has said it will appeal the Government decision. Critics pointed out that the Gemalto bid saves only £10million a year, the equivalent of just six-and-a-half hours of UK foreign aid spending.
Last night the Daily Mail’s petition demanding new British passports be made in the UK surged past 300,000 signatories. A team of Mail reporters will hand it into Downing Street today, with MPs who are backing the campaign.
Cryptography expert and CEO of Enigma Bridge, Daniel Cvrcek – who found errors in the Gemalto cards after testing them – said he believed millions had been issued by the company across Europe up to September last year, when it announced it was ending sale of the flawed cards.
Gemalto, the Government’s preferred bidder, was revealed to have supplied Estonia with as many as 750,000 ID cards with security flaws. File image used
Mr Cvrcek said: ‘The cards in question that had a problem are mostly used in the enterprise market, so large companies who use them internally to get access to buildings, computers … some of them are government, like Estonia, but the scale of cards issued was certainly millions.
‘The picture is bigger than Estonia. My guess is hundreds of large companies would have been using them.’
Mr Cvrcek said he knew of examples including a well-known financial organisation that used the cards in central Europe which had suffered a cyber-attack.
The flawed cards were said to have contained chips and software sourced from German firm Infineon Technologies, which said it reacted quickly to fix the error.
‘Infineon thoroughly investigated the newly developed methods and reacted immediately,’ a company spokesman said at the time.
Yesterday, Estonia’s ex-president urged the UK government to approach the passport deal with caution, accusing Gemalto of ‘irresponsible’ behaviour by failing to notify Estonia about the flaws.
Tory MP Andrew Bridgen said: ‘The revelation about Estonian ID cards confirms our worst suspicions …
‘The Government should review the contract and give the security of our passports system the consideration it needs … As the Estonian ID card fiasco shows, the cheapest price is not always the best.’
Fellow Conservative Andrew Rosindell said: ‘The Government have dismissed the serious security concerns … the Government needs to look at this again.’
There was national panic in Estonia in November after its prime minister issued a warning over the compromised ID cards.
Toomas Hendrik Ilves, Estonia’s president from 2006 to 2016, said yesterday: ‘Given Gemalto’s behaviour with Estonia, I’m not sure that the British government will be happy with its decision …
‘I would specify in your contract with Gemalto in the strongest terms that if there are any vulnerabilities or any other problems they inform you immediately.
‘In February last year a vulnerability was discovered on the chip that we used in our Gemalto-made ID cards.
‘We were only informed about it in August, and not by Gemalto, but by a Czech research group … That’s the definition of irresponsible behaviour.’
From 2019, Estonian ID cards will be made by Oberthur Technologies, a French firm. An Estonian official said: ‘I would guess that the Brits would have chosen a higher level [of security] for passports.’
The Mail sent a list of detailed questions to Infineon but it did not respond last night.
The Home Office also did not respond to requests for comment. The department has said personalisation pages of the new blue passports, including chips, will be done in the UK.
A Gemalto spokesman said that after a ‘theoretical security threat’ was revealed in 2017, it ‘actively worked and supported the Estonian authorities to develop and implement a remedy to the said threat to the Estonian e-ID card … which completely suppressed their potential vulnerability. Such threat has never materialised, not even for a single card.’
He added that ‘all e-passports provided by Gemalto around the world are immune to this vulnerability’.
Sign the Daily Mail and MailOnline petition by clicking here