European prosecutors are examining how the Moscow office of an IT contractor helped to build the EU’s new electronic border system, which will establish the bloc’s biggest personal information database.
According to documents seen by the Financial Times, the French IT group Atos used staff in Russia to buy software in 2021 for the highly sensitive project, which aims to gather and store biometric data on all non-EU visitors to the EU.
The disclosure of Russian involvement has raised significant security questions about the ambitious overhaul of the EU’s border infrastructure. Its launch remains uncertain after the EU scrapped several target dates due to technical issues.
The leaked papers suggest Atos’s branch in Moscow operated under a licence that would grant Russia’s FSB security service access to its work in the country. Four people with knowledge of the events said Moscow-based staff were directly involved in buying software for the border system, work that would typically require an EU security clearance.
The European Public Prosecutor’s Office (EPPO) is looking into the involvement of Atos Russia in the border project, according to two people with knowledge of the probe.
The EPPO is responsible for investigating and prosecuting criminal offences affecting the financial interests of the EU. The EPPO said it does not comment on cases or publicly confirm the investigations it is pursuing. No charges have been brought to date.
The EU’s so-called Entry/Exit System (EES) will collate data tracking the movements of every foreign traveller entering or exiting the bloc, recording biometric and personal information as well as their visa status. Atos Belgium won the EES contract, now worth €212mn, together with IBM Belgium and Italy’s Leonardo in 2019.
Olaf, the EU’s anti-fraud watchdog, last year investigated allegations regarding the involvement of Atos Russia, a probe that has not been previously disclosed. It found that measures taken internally by EU-Lisa, the agency implementing the EES, to address “security issues” were not sufficient, according to one person with direct knowledge of the inquiry.
Insufficient evidence was found to open an investigation under Olaf’s anti-fraud mandate, the person said, but recommendations were issued to EU-Lisa to address weaknesses. Olaf declined to comment.
“We are aware of the fact that EU-Lisa is closely co-operating with Olaf . . . the agency may take all necessary legal actions if it proves necessary,” said a spokesperson for the European Commission.
EU-Lisa said it was “aware of the allegations related to Atos Russia involvement” in the project and that it “never had any contractual relations with Atos Russia”.
The agency said “there has been no identified security breach” and that it had “continued to carry out systematic security assessments and has taken all relevant actions since learning of the matter”.
Software licences needed for parts of the EES were purchased through Atos’s offices in Moscow in 2021, according to internal documents obtained by the FT. There is no evidence Atos’s Moscow branch was involved in EES work after Russia’s full-scale invasion of Ukraine in 2022.
The Atos branch, since 2016, operated under a licence granted by the FSB, one of the successor agencies to the Soviet Union’s KGB. This covered the “development, production, distribution of encryption (cryptographic) tools, information systems and telecommunication systems”, according to Russian public records.
Andrei Soldatov, an author and expert on Russia’s security services, said such a licence grants the FSB a “back door” into Atos Russia’s activities. “They can look at everything this company is working on,” Soldatov said.
Atos has said that it divested from its Russian business in September 2022 following the invasion. Atos, IBM and Leonardo declined to comment.
One European official said the revelations about Atos Russia raised urgent questions about access to such a sensitive project. “The security issue immediately comes to mind because of the enormous amount of data that [the EES] would contain,” they said.
Atos used its Russian office to procure software for a part of the EES that would allow airlines to verify traveller information such as visa status, according to the leaked documents and four people involved in software sales at Atos, EU-Lisa and their suppliers.
Yulia Plavunova, a Moscow-based Atos employee, was the “primary” customer contact for a purchase of cryptographic certificates from the US company AppViewX that help to verify the users of that part of the EES, according to the leaked documents.
Atos’s Moscow address is also listed in the documents in connection with a software licence sold by Swiss group Magnolia for so-called middleware that connects different parts of the computer system.
Both AppViewX and Magnolia confirmed Atos used its Moscow office for procurement, while their contracts were with Atos France and Atos Belgium.
A former Atos employee working on the project said Plavunova was “part of the procurement office” and that “she was consistently involved for purchases involving third-party contractor[s]”.
The employee said they had not been aware that Plavunova was based in Russia, and that this was “strange” as only “EU-cleared staff” could be assigned to the project.
According to the main EES contract, seen by the FT, all IT contractors’ staff working on the project “must hold a valid security clearance at EU Secret level issued by a National Security Authority [in a member state] prior to providing services”.
EU-Lisa said that “there has been no identified security breach” as the employee of Atos Russia “did not have access to EU-Lisa’s IT systems, sensitive information, or premises”. The software purchased by AppViewX was never used and Magnolia was used until 2022, according to EU-Lisa.
Plavunova said she left Atos in 2021 and “cannot disclose any information that belongs to my former employer”. She said her activity as a software buyer was “not connected to Atos Russia business” and that Atos “provided employees with equal opportunities to work for different regions . . . Being Russian doesn’t mean working for the FSB.”
A spokesperson for the European Commission said it had “full confidence in EU-Lisa’s capacity to manage the security of the EES” and that EU-Lisa would “perform a security audit before EES goes live”.
Additional reporting by Chris Cook in London
Read the full article here
