One of the world’s largest manufacturers of SIM cards has acknowledged evidence of security agency attacks on the company’s internal networks, but it’s denying that American and British intelligence agents were able to get access to billions of mobile phone users’ secure data.
Gemalto, a French-Dutch supplier of SIM cards, found “reasonable grounds” of an attack by U.S. National Security Agency and its British counterpart, the Government Communications Headquarters (GCHQ) following an internal investigation into a series of security incidents. The audits came after online publication The Intercept reported on what it said was a joint British-American operation to covertly hack Gemalto’s stash of SIM encryption keys, based on documents leaked by Edward Snowden.
SIM cards are small encrypted devices inside cell phones that carry users’ unique identifier codes on a network. Breaking their encryption could allow intelligence agencies or hackers easier access to targets’ mobile communication.
In particular, Gemalto cited two “sophisticated intrusions” in 2010 and 2011, one of which involved sending malware-infected attachments from faked company email addresses. Gemalto acknowledged that the breaches may have enabled a third party such as the NSA to spy on internal communications from company employees, but denied the breach led to a massive loss of encryption keys. The Intercept previously reported that the NSA and GCHQ stole encryption codes as Gemalto sent them to device makers like China’s Huawei.
“The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys,” read a statement from the company.