The world's biggest security chip manufacturer has confirmed a "sophisticated intrusion" took place against its networks several years ago. The National Security Agency (NSA) and a British intelligence agency may have been involved, but the hack did not compromise chip encryption capabilities or result in any privacy leak.
Gemalto NV, which is the global leader in SIM making with millions of its cards used in smartphones and credit cards, said an internal investigation revealed hacking incidents in 2010 and 2011, which included cyber stalking of employees, appeared to coincide with attacks described in documents released by whistleblower Edward Snowden regarding NSA surveillance and spying activities.
"If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks. In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation," stated Gemalto.
The Snowden documents claimed the network attacks may have been the work of the NSA and Britain's Government Communications Headquarters (GCHQ).
Gemalto, in its official response to the claims which hit last week, stated encryption on its SIM cards was not compromised since encryption keys and customer data were not stored on the networks that came under attack.
The Dutch security vendor said it is "extremely difficult" to attack large numbers of SIM cards on an individual basis.
"This fact, combined with the complex architecture of our networks, explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents," stated Gemalto.
"It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data," reported Gemalto.
The network hacking incidents potentially only impacted 2G mobile networks given the enhanced security technologies used in the development of 3G and 4G networks, said Gemalto. The company's explanation and response are likely the last Gemalto intends to communicate regarding the network breaches.
"We do not plan to communicate further on this matter unless a significant development occurs," it said.
There has been no comment from the NSA on the incidents or Gemalto's statement regarding the network breach reports.
The GCHQ, however, released a statement that it does not comment on intelligence matters, although the statement noted:
"GCHQ's work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee."