After an internal investigation, digital security company Gemalto has concluded that it had "reasonable grounds to believe" that it was hacked by US National Security Agency (NSA) and Britain's Government Communications Headquarters (GCHQ), the Amsterdam-based company stated Wednesday.
On Feb 19, 2015, news website The Intercept revealed that, based on documents from American whistle-blower Edward Snowden, the NSA and GCHQ hacked Gemalto's SIM card encryption keys in 2010 and 2011 to make it easier to intercept mobile telephone and internet traffic, without telecom providers knowing. Following this publication, Gemalto conducted an investigation.
Gemalto confirmed it experienced attacks in 2010 and 2011, of which two particularly sophisticated intrusions could be linked to the NSA and GCHQ operation, Xinhua news agency reported. In June 2010, Gemalto noticed suspicious activity on one of its French sites where a third party was trying to spy on the office network.
In July 2010, the security team of Gemalto identified fake emails sent to one of its mobile operator customers spoofing legitimate Gemalto email addresses. During the same period, Gemalto also detected several attempts to access the personal computers of Gemalto employees who had regular contact with customers.
Action was immediately taken at the time to counter the threat, but Gemalto was unable to identify the perpetrators.
"Now we think that they could be related to the NSA and GCHQ operation," Gemalto stated.
According to Gemalto, the attacks only breached its office networks and could not have resulted in a massive theft of SIM encryption keys, because by 2010 the company claimed to already have widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft. Gemalto said none of its other products were impacted by this attack.
"In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks," Gemalto added. "3G and 4G networks are not vulnerable to this type of attack."
According to Gemalto, people try to hack the digital security company on a regular basis, but are mostly unsuccessful.
"The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards, and customised algorithms for each operator," Gemalto continued.
Gemalto also claimed the The Intercept story contained some mistakes and gave some examples: "Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen," the company declared.
"A list claiming to represent the locations of our personalization centers shows SIM card personalization centers in Japan, Colombia and Italy."
Gemalto is the world leader in digital security with 2013 annual revenues of 2.4 billion euros ($2.7 billion) and more than 12,000 employees operating out of 85 offices and 25 research and software development centres in 44 countries.