European prosecutors are considering how the Moscow office of IT contractors helped build a new EU electronic border system that will establish the bloc’s largest personal information database.
According to documents seen by the Financial Times, French IT group ATOS was found to have been extremely exploited in 2021, with the aim of collecting and storing biometric data on all non-EU visitors using Russian staff. I bought the software for a sensitive project.
Disclosure of Russia’s involvement raised important security issues regarding an ambitious overhaul of the EU border infrastructure. Its launch remains uncertain after the EU abolished dates on some targets due to technical issues.
The leaked paper suggests that the branch of Atos in Moscow is operated under a license that allows Russian FSB security services to access domestic work. Four people with knowledge of the event are directly involved in purchasing software for the border system, and are usually tasked with EU security clearance.
According to two people with knowledge of the investigation, the European Prosecutor’s Office (EPPO) is considering Athos Russia’s involvement in the border project.
The EPPO is responsible for investigating and prosecuting criminal offences that affect the economic benefits of the EU. Eppo said it had not commented on the case or publicly confirmed the investigation it is pursuing. No fees have been charged so far.
The EU’s so-called Entry/Exit System (EES) collates data that tracks the movements of all foreign tourists entering and leaving the block, recording biological and personal information as well as visa status. Atos Belgium won the EES deal in 2019, along with IBM Belgium and Italy’s Leonardo, currently worth 212 million euros.
Olaf, the EU’s anti-fuel consumption watchdog, investigated allegations regarding Athos Russia’s involvement last year. This is a survey that has not been previously disclosed. According to one person with direct knowledge of the investigation, the measures taken by EU-LISA, the agency implementing EE, are not sufficient to address “security issues.” I understand.
The person said that insufficient evidence was found to open the investigation under the OLAF’s anti-burn duty, but a recommendation was issued to the EU-LISA to address the weaknesses. Olaf declined to comment.
“We recognize the fact that EU-Lisa is working closely with the OLAF. A spokesman for the European Commission said:
Recommendation
EU-Lisa said it was “aware of allegations relating to Athos Russia’s involvement” in the project, and “there was no contractual ties with Athos Russia.”
The agency said “there were no identified security breaches,” and that “continued to continue systematic security assessments and took all relevant actions after learning the issue.”
According to internal documents obtained by FT, the software license required for part of the EES was purchased in 2021 through the office of ATOS in Moscow. There is no evidence that the Moscow branch of Athos was involved in the work of the EES after the full-scale invasion of Russian Ukraine in 2022.
The ATOS branch has been operating since 2016 under a license granted by the FSB, one of the successors of the KGB in the Soviet Union. This covers the “development, production and distribution of encryption tools, information systems, and communication systems,” according to Russian official records.
Andrei Soldatov, author and expert on Russian security services, said such licenses give the FSB a “back door” to Athos Russia’s activities. “They can see everything this company is working on,” Soldatov said.
Atos says it sold it from its Russian business in September 2022 after the invasion. Atos, IBM, and Leonardo declined to comment.
One European official said the revelation on Athos Russia raised urgent questions about access to such sensitive projects. “Security issues come to mind right away due to the vast amount of data that includes (EES),” they said.
Atos procures some EES software that allows airlines to verify traveler information such as Visa status, according to leaked documents and four people involved in the sale of software at ATOS, EU-LISA and its suppliers. I used a Russian office to do so.
Yulia Plavunova, an employee of Moscow-based ATOS, said she was “a leaked document that she was able to purchase encryption certificates from the US company AppViewx, which helps to verify users of that part of the EE,” according to leaked documents. It was a major customer contact.
Atos’ Moscow addresses are also listed in the documentation in relation to the software licenses sold by Swiss Group Magnolia for the so-called middleware that connects various parts of the computer system.
Both AppViewx and Magnolia confirmed that Atos was using Moscow Office to procure, and their contract was with Atos France and Atos Belgium.
A former ATO employee working on the project said Plavunova is “part of the procurement office” and “she was consistently involved in purchases involving third-party contractors.”
Employees said they didn’t realize that Pravnova is based in Russia and that this was “strange” as it could only be assigned to the project by “EU-exempt staff”. .
According to the main EES contracts seen by FT, all staff of IT contractors working on the project would be “effective at the EU secret level issued by the National Security Agency (member state) before providing the service. You need to maintain security clearance.”
EU-Lisa said that “no identified security breach was found” because an ATOS Russian employee “had no access to EU-Lisa’s IT systems, confidential information or facilities.” According to EU-LISA, no software purchased by AppViewX was used, and Magnolia was in use until 2022.
Plavunova left Atos in 2021 and said he “cannot disclose any information belonging to previous employers.” She said her activities as a software buyer were “not connected to Atos Russia Business,” and Atos “provided employees equal opportunities to work in different regions.” . . Being Russian does not mean working for the FSB. “
A spokesperson for the European Commission said “We are completely confident in EU-LISA’s ability to manage EU security,” and EU-LISA will “run a security audit before EES is published.” “
Additional Reports by London Criskook
