Franco-Dutch SIM card maker claims US, UK hacked networks

Security services tried to steal encryption keys, says Gemalto

Gemalto chief executive Olivier Piou said an internal investigation had shown that in 2010 and 2011 there had been ‘two particularly sophisticated intrusions’. Photograph: Ian Langsdon/EPA
Gemalto chief executive Olivier Piou said an internal investigation had shown that in 2010 and 2011 there had been ‘two particularly sophisticated intrusions’. Photograph: Ian Langsdon/EPA

The world’s largest producer of SIM cards says it believes both the US and UK security services hacked its computer systems in 2010 and 2011 trying to steal encryption keys that could have given them unfettered global access to mobile phone data.

The Franco-Dutch firm, Gemalto, which has its headquarters in Amsterdam, is listed on both the Paris and Amsterdam stock markets, and has 10,000 employees in 85 countries, said the hacks had breached its office network – though it was unclear whether they had accessed the encryption keys.

The alleged hacks were reported last week by the specialist website, Intercept, which cited documents leaked to it by former National Security Agency (NSA) contractor Edward Snowden.

Gemalto's chief executive Olivier Piou said that while hacking was a constant problem, an internal investigation had shown that in 2010 and 2011 there had been "two particularly sophisticated intrusions" consistent with the Snowden documents.

READ SOME MORE

They had “reasonable grounds” for believing, he said, those hacks had “probably” been the work of the NSA in the US and GCHQ (Government Communications Headquarters), based in Cheltenham in the UK.

Encryption keys

The operation appeared to have been an attempt to intercept the encryption keys that unlock mobile phone SIM cards while they were being transferred from Gemalto’s high-security production facilities to mobile network operators worldwide.

“Whether SIM security codes were stolen and how many, that’s difficult to say,” Mr Piou told reporters. “How many were used, that’s even harder to say.”

However, even if the hack had succeeded in stealing codes, the agencies would have been able to spy only on 2G mobile phone networks. More up-to-date 3G and 4G networks were not vulnerable to that type of attack.

Asked if the company had contacted either GCHQ or the NSA when the hacks were discovered or since, he said it would have been “a waste of time” – and they did not intend to take legal action for the same reason.

A GCHQ spokeswoman said it did not comment on intelligence matters, adding its work was done “in accordance with a strict legal and policy framework”.

Peter Cluskey

Peter Cluskey

Peter Cluskey is a journalist and broadcaster based in The Hague, where he covers Dutch news and politics plus the work of organisations such as the International Criminal Court