Nothing to do with Snowden revelations, but with RSA prime number generation. Because of a bug on the chip, primes were generated starting from numbers divisble by ten, which are way rarer than those divisble by two (pardon the extreme simplification.)
That's a hardware design error. The claim is that Gemalto failed to fullfil the contractual clauses about quickly informing the customer (the Estonian state) of the security breach, not the existance of the security breach itself.
Well, there was this revelation that NSA had the 'Gemalto network wide open'. After week long investigation Gemalto denied any breach, leading to situation where you could either believe NSA or Gemalto.
I believe it is not a design error. It rahter sounds like an incorrectly implemented manufacturing optimisation. And in that sense close to the Volkswagen diesel-test optimisation -- compromising the reason for the RNG/exhaust test in the first place.
The article stipulates that the contract dates back until 2002, about 11 years before the Snowden allegations came to light. So while they could have switched afterwards, the contract may have had a longer contract period, locking them in for a while. You also can’t just switch the identity provider for your national ID system, such a move would need at least some lead time.
Exactly, this crazy to think you can keep you sovereignty while giving to a foreign (French), NSA/CIA infiltrated (In-Q-Tel/Snowden) company the keys to all your citizens ID, moreover with internet voting. While ahead of its time, maximum caution must be taken, and the balance must be made between convenience and independence.
In fact the root cause of the flaw is in the attempt to make the keys inaccessible to any single entity by generating them on the card. This needs the card to have circuitry and software to generate RSA primes and some reliable source of entropy, both of which are somewhat non-trivial problems (as in easy to subtly screw up) in the smartcard environment.
That's a hardware design error. The claim is that Gemalto failed to fullfil the contractual clauses about quickly informing the customer (the Estonian state) of the security breach, not the existance of the security breach itself.