Russia’s backdoor? Moscow tied to EU’s biometric border system – FT

Nation

6 February 2025, 04:32 PM

European prosecutors are investigating how the Moscow office of an IT contractor helped build the European Union’s new electronic border system, which holds the bloc’s largest personal data database, Financial Times reported on Feb. 6.

According to documents reviewed by the newspaper, the French IT group Atos used employees in Russia to procure software in 2021 for a top-secret project designed to collect and store biometric data on all non-EU visitors.

The revelation of Russia’s involvement has raised security concerns about the EU’s massive border infrastructure overhaul. The system’s launch remains uncertain after the EU canceled several scheduled dates due to technical issues.

According to the report, leaked documents suggest that Atos’ Moscow branch operated under a license granting Russia’s FSB security service access to its work in the country.

Four sources interviewed by the newspaper said that employees of the Moscow office were directly involved in procuring software for the border system—a task that typically requires approval from the EU’s security services.

European Public Prosecutor’s Office (EPPO) is investigating the involvement of Atos’ Russian unit in the project, the sources said.

EPPO stated that it does not comment on cases or publicly confirm ongoing investigations.

The EU’s anti-fraud watchdog, Olaf, investigated allegations of Atos Russia’s involvement last year. A person familiar with the probe said the agency determined that measures taken by EU-Lisa, the EU agency responsible for large-scale IT systems, to address “security concerns” were insufficient.

The source said there was not enough evidence to launch a formal investigation, but EU-Lisa was given recommendations on “eliminating vulnerabilities.”

“We know that EU-Lisa is working closely with Olaf… the agency can take any necessary legal action if required,” a European Commission spokesperson said.

EU-Lisa stated that it was “aware of allegations related to Atos Russia’s involvement” in the project and that it “never had any contractual relations with Atos Russia.”

The agency said “no security breaches have been identified” and that it has “continued systematic security assessments and taken all necessary measures since learning about the issue.”

However, according to FT, software licenses were purchased through Atos’ Moscow offices in 2021. There is no evidence that the Moscow branch of Atos was involved in work on the Entry/Exit System (EES) after Russia launched its full-scale invasion of Ukraine in 2022.

Since 2016, the Atos branch had operated under a license issued by the FSB, which covered the development, production, and distribution of encryption tools, information systems, and telecommunications systems.

Andrei Soldatov, an author and expert on Russian intelligence services, said such a license gives the FSB a “backdoor” into Atos’ operations in Russia.

“They can see everything this company is working on,” Soldatov said.

Atos stated that it sold its Russian business in September 2022 following the invasion of Ukraine.

According to leaked documents, Atos used its Russian office to procure software for part of the EES system that would allow airlines to check travelers’ information, visa status, and details of four individuals involved in the software sales at Atos, EU-Lisa, and its suppliers.

The report noted that an employee at Atos’ Moscow office, Yulia Plavunova, was the “primary” contact person for purchasing cryptographic certificates from the US company AppViewX, which help verify users of this part of the EES system. The Moscow address of Atos was also listed in documents related to software licenses sold by the Swiss group Magnolia for middleware, which connects different parts of a computer system.

Both AppViewX and Magnolia confirmed that Atos used its Moscow office for procurement, although their contracts were signed with Atos France and Atos Belgium. A former Atos employee who worked on the project said Plavunova was “part of the procurement department” and was “routinely involved in purchases involving third-party contractors.” The employee said they were unaware that she worked in Russia and found it “strange” since only “EU-vetted employees” were supposed to be involved in the project.

According to the main EES contract reviewed by FT, all IT contractor employees working on the project “must have a valid EU security clearance issued by the national security authority [in an EU member state] before being allowed to provide services.”

EU-Lisa stated that “no security breaches have been identified” because the Atos Russia employee “did not have access to IT systems, confidential information, or EU-Lisa premises.”

EU-Lisa also said that the software purchased from AppViewX was never used and that Magnolia software was used until 2022.

Plavunova stated that she left Atos in 2021 and could not disclose any information belonging to her former employer. She added that her role as a software buyer “was not related to Atos’ business in Russia” and that Atos “provided employees with equal opportunities to work in different regions.”

“Being Russian does not mean working for the FSB,” she said.

Інші новини

Все новости