French ID security contractor exposed data of millions of US citizens, whistleblower alleges

A French identity-verification security services company that contracts for federal and state governments has broken national security regulations and compromised the personal data of millions of Americans, according to a lawsuit filed by a company whistleblower.

The lawsuit, which has not been reported on before, alleges that IDEMIA, a multinational tech company headquartered in France, compromised personally identifying information of a significant number of Americans by allowing foreign software developers to create certain apps that are used by U.S. citizens.

The lawsuit was filed in Tennessee federal court by Charles Carroll, a former top executive with IDEMIA in North America, who is suing the company for unlawful termination because, he says, his job performance was unfairly called into question following a cancer diagnosis.

IDEMIA, which provides biometric and identity services to the Transportation Security Administration and claims to be the largest issuer of driver’s licenses in the United States, outsourced the software development of one of its major phone apps to developers in Eastern Europe and South Asia, according to the lawsuit.

IDEMIA helps issue 90 million driver’s licenses every year to governments around the world, including millions within the U.S., and has 12 million Americans’ biometric data to help with processing applications for TSA PreCheck, a program that allows those approved to go through fewer security checks at airports.

The mobile app that has been compromised, according to the lawsuit, is IDEMIA’s Trusted Fan app, which allows users quick access into sporting events and concerts by verifying their identity using a selfie, a valid state-issued photo identification document, and biometric data, such as fingerprints.

Using foreign software developers to help create software that is used to collect and handle personally identifying information of U.S. citizens is a violation of a contract between IDEMIA and the Treasury Department’s Committee on Foreign Investment in the United States, and thereby the company has broken national security regulations, according to the lawsuit. CFIUS regulates transactions involving foreign investments in the U.S.

IDEMIA’s agreement with CFIUS for operating in the U.S. required that all software development and maintenance of programs that could collect personally identifying information of U.S. citizens be done domestically for national security reasons.

The central concern with having foreign developers create software that handles U.S. citizens’ sensitive personal information is that people’s identities are valuable commodities that can be used to harm and target them with malware, hacks, and ransomware.

“Foreign-created software programs could have a bug or a backdoor that the developer can then utilize later on to access the U.S. citizen’s database within it,” said Nova Daly, a lawyer who specialized in CFIUS transactions and companies that face national security concerns.

“They know where and how the software will be used, so they can create backdoor access to it and potentially compromise sensitive data that can then be used in harmful ways,” he added.

Internet data security experts say that, by compromising U.S. citizens’ personal data, IDEMIA could be hurting them online as well as at the in-person events they are helping to keep secure.

“If people give their biometric data to Trusted Fans to allow them to get into a stadium, get through security, and if their data has been compromised, then a hacker or foreign entities could have access to U.S. citizens’ data and do harmful things with it,” said Chris Olson, CEO of the Media Trust, a data security company that provides anti-malware and protection services to multiple Fortune 2000 companies.

“If that data gets compromised, then there’s no way to know if people in that stadium are safe because terrorist groups and others could hack into the app to get into sports stadiums — it’s certainly plausible. It’s not a big leap,” Olson added.

Olson said more than 50% of the 1,400 online malware and fraud attacks his company finds every day come from foreign actors.

He added that the frequency of foreign malware attacks justifies the CFIUS national security regulations because foreign actors are harder to monitor and catch and can cause massive harm if they get access to sensitive personal data.

IDEMIA denies the allegations made in the lawsuit and says it expects to prevail in court.

“IDEMIA is aware of the lawsuit that was recently filed by Mr. Carroll in Tennessee federal court. The allegations that IDEMIA violated national security and other laws are completely without merit,” IDEMIA said in a statement provided to the Washington Examiner.

“IDEMIA will vigorously defend all the claims in this lawsuit. While it is IDEMIA’s policy not to provide specifics about pending litigation, we believe that the court will ultimately agree that these claims are unfounded,” it added.

The Trusted Fans mobile app is currently not available to download on iPhones via Apple’s App Store and on Android devices via the Google Play store, likely due to the litigation.

Former CFIUS officials say that the revelations in the lawsuit could put pressure on the interagency committee within the Treasury Department to take action and more closely scrutinize their agreements with companies.

“This might catch the eye of Congress, who could pressure CFIUS to look into their regulations and mitigation agreements and see what’s happening,” a former top CFIUS official said.

“CFIUS might have to worry about the political fallout, of whether or not they’re auditing mitigation agreements closely enough,” the former official said.

Breaching CFIUS agreements can result in civil penalties. The CFIUS can fine a company such as IDEMIA $250,000 per violation, which, if there are multiple violations, can get stacked together to amount to millions of dollars in fines.

“This violation of a CFIUS agreement means the federal government will likely take action to punish the company and assess how U.S. citizens have been compromised,” another former top CFIUS official said.

“CFIUS are basically paid paranoids who are always considering the worst circumstances, so this is what their job is,” said the former official, who is now a lawyer in private practice.

The concerns with IDEMIA’s CFIUS contract violation are exacerbated by the fact that France has long been known for industrial espionage.

U.S. government officials and national security scholars have long seen the relationship between French corporations and the French government as worryingly close.

“The government and business have operated hand-in-hand since the time of Louis XIV. This is not exactly a new development in France,” former U.S. Defense Secretary and CIA Director Robert Gates said in 2014 of France’s industrial espionage.

It’s possible France’s intelligence agencies could gain access to IDEMIA’s U.S. customer data, if it has been compromised.

Source: Washington Examiner