Gemalto, the amsterdam-based digital security company have said that reports of its hack may have been blown out of proportion. This was part of the latest release, after the firm investigated the leak that claimed that it had been hacked between 2010 and 2011 by the US’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ).
According to reports from The Intercept, the details of the hack was released by the NSA whistleblower, Edward Snowden.
The intrusion reportedly resulted in the intelligence services stealing encryption keys from the company’s database. Hack into Gemalto is significant because the multinational firm makes the chips used in mobile phones and credit cards and produces more than 2 billion SIM cards every year for the likes of Zimbabwe’s NetOne. Encryption keys are privacy algorithms embedded in every SIM to protect cellphone communications’ from unwarranted taps. Access to them would give the two intelligence agencies unbridled access to voice and data communications on mobile devices across the globe.
Gemalto had since come out to say that it has, after investigation, “reasonable grounds to believe that an operation by NSA and GCHQ probably happened”. However, Gemalto added that the reports may have been wildly exaggerated.
“Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft”, the firm said, adding that even if there had been key theft as the top secret document claimed, “the intelligence service would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack.”
Gemalto says it observed attempts to access PCs of Gemalto employees who had regular contacts with customers around the time NSA and GCHQ reportedly hacked the firm but the intrusions only affected the outer parts of its networks.
The statement from Gemalto confidently put forth that “The SIM encryption keys and other customer data in general are not stored on these (outside) networks. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports.”
Gemalto is surprisingly confident even though hacks from the likes of NSA and GCHQ could be so sophisticated to the extent that the in-house backtracking may have not been able to pick up a deeper intrusion.
The firm further accented some error concerns from the leak. Gemalto claimed that “it has never sold SIM cards to four of the twelve operators listed in the document”, adding that the company also did not operate SIM card personalization centers in Japan, Colombia and Italy as alleged by the document.
The claims from Gemalto, if true, paints yet another bullseye on Snowden’s reputation whose activities have been a subject of inordinate conspiracy theories, and in an alternate case, Gemalto’s credibility may be going farther south along with its plunging stock which took $470m hit in it’s stock price right after the leak.
Photo Credit: Luciano Belviso via Compfight cc