SIM card maker Gemalto today said it believes the NSA and GCHQ did indeed breach its systems, but the firm found that the agencies were unable to swipe any encryption keys.

The news comes after a recent report, based on documents leaked by Edward Snowden, said that the NSA and its U.K. counterpart hacked Gemalto in order to steal encryption keys and spy on wireless communications.

A multinational chipmaker based in The Netherlands, Gemalto supplies SIM cards used by all four of the top U.S. carriers and 450 wireless network providers around the world. Access by intelligence agencies, therefore, would allow the monitoring of mobile communications without approval, warrant, or wiretap.

Gemalto's subsequent investigation found that the agencies' "intrusions only affected the outer parts of our networksour office networks," Gemalto said. SIM encryption keys and customer data is stored on other networks.

The Dutch tech giant said its networks are frequently under attack, but that very few efforts actually succeed. Two sophisticated attacks in 2010 and 2011, however, caught Gemalto's eye and "could be related" to the reported NSA and GCHQ breaches.

One of those attacks focused on suspicious activity on one of its French sites, while another involved fake emails sent to mobile operator customers. At the same time, Gemalto detected numerous attempts to access the employees' PCs.

Though unable to identify the intruders at the time, the company now believes the NSA and GCHQ were behind the breaches. "An operation by NSA and GCHQ probably happened," it said.

"It is important to understand that our network architecture is designed like a cross between an onion and an orange," the report said. "It has multiple layers and segments which help to cluster and isolate data."

The breach was allegedly detailed in a "secret" 2010 GCHQ document, but was only just made public via the Snowden data dump.

GCHQ declined to comment further, repeating last week's statement that the British agency follows "strict legal and policy framework" to ensure "activities are authorized, necessary and proportionate." The NSA did not respond to PCMag's request for comment.

"We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations," Gemalto concluded. "These reports inspire our people to work even closer with our customers and the industry," Gemalto said, with an aim to build more sophisticated solutions to serve the needs of end users.

For more, see The 10 Most Disturbing Snowden Revelations.

Further Reading

Security Reviews