Sopra Steria under fire for EU border biometric system vulnerabilities

An audit by the European Data Protection Supervisor last year identified thousands of “high” severity cybersecurity vulnerabilities in the tool used to share data between border control agencies. The vulnerabilities are particularly concerning given the role of the second-generation Schengen Information System in the EU’s biometric Entry/Exit System (EES), which is set to go live in October.

SIS II stores and enables the sharing of data on illegal immigrants and suspected criminals between European border authorities. Sopra Steria is the system’s developer and is contracted to maintain it.

The audit report and emails seen by Bloomberg and Lighthouse Reports suggest that Sopra Steria took between eight months and five and a half years to address the problems when informed of them by eu-LISA. Workers with Sopra Steria suggested at one point that an extra 19,000 euros (approximately US$22,200) would be necessary to patch some vulnerabilities identified by eu-LISA employees. But a monthly maintenance fee of €519,000 and €619,000 should have covered that cost, according to eu-LISA’s response.

A Sopra Steria representative told the auditor that the company’s role was carried out in accordance with the legal, regulatory, and contractual frameworks governing SIS II.

The EDPS audit also found that administrator-level access to the database had been given to an “excessive number” of accounts, making the system susceptible to attacks by insiders. Sixty-nine people not directly employed by the EU and lacking the necessary security clearance were found to have access to SIS II. Despite the lapses, there is no evidence that any data has been stolen from the system.

The SIS II stores 93 million records for stolen objects, including ID documents, about 1.7 million of which are personally identifiable. The database includes photos of suspects and fingerprint biometrics collected at crime scenes. Nearly 200,000 of the individuals identified in the database have been flagged as potential national security threats.

The auditor laid responsibility for some of the vulnerabilities at the feet of eu-LISA, noting that it did not inform its management board about identified security gaps. Sources told Bloomberg that the agency’s reliance on consulting firms contributed to the problems with SIS II.

Center for Future Generations Senior Fellow Leonardo Quattrucci said the EU needs to treat procurement as a strategic function, rather than a compliance process.

Sopra Steria and Idemia were jointly awarded the contract for the shared biometric matching system (sBMS) that backs EES in 2020.

The project has languished under a series of delays, many of them blamed on Atos and its consortium partners IBM and Leonardo, which won a contract to build the EES core in 2019.

Article Topics

biometrics  |  border management  |  cybersecurity  |  Entry/Exit System (EES)  |  EU  |  eu-LISA  |  European Data Protection Board (EDPB)  |  Schengen Information System (SIS)  |  SIS II  |  Sopra Steria