We found out that the company that produced the ID cards for us didn't use the best possible encryption logic. The cryptoprocessors that were on the cards were not made as per what was written into the contract. Basically, they were not good enough. These chips were produced by the Swiss company Gemalto, and the specific chips were made by German company Infinia.
That was a case that affected not only us but also Spain, Slovakia, Microsoft, and everybody else in the private sector and public sector who used the same chips. It concerned the chips that were produced in a certain time frame, from late 2014 to 2016.
Regarding Estonia, it was a massive incident, because it concerned about half of the ID cards that we use in Estonia. We could say that half of the population was basically under theoretical danger.
I have to emphasize that nothing happened, because we got out of this vulnerability and we reacted very quickly. Basically we developed a solution in two months, and we started to issue new certificates immediately after that. We didn't have any security incidents, but it put the specific concern on our table of how to approach that problem in the future and how to avoid buying a product that is certified and later finding out that the certification is not correct.