Gemalto hack probe finds no massive privacy leak

Jane Onyanga-Omara | USA TODAY

A Dutch SIM-maker allegedly targeted by British and U.S. spying agencies said it believes there was a hacking operation, but that it didn't result in a massive privacy leak.

Gemalto, which makes SIM cards used in cellphones and credit cards, said an internal investigation gave it reasonable grounds to believe an operation by the U.S. National Security Agency and its British counterpart Government Communications Headquarters "probably happened."

The operation was reported last week on the website The Intercept using documents supplied by Edward Snowden.

Gemalto, which supplies major cellphone operators including AT&T, T-Mobile, Verizon and Sprint, says the attacks in 2010 and 2011 "only breached its office networks and could not have resulted in a massive theft of SIM encryption keys."

"If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks. In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation," the firm said.

It said in June 2010, a third party tried to spy on the office network in one of its French sites and the following month, fake e-mails with attachments that could download malicious code were sent to a mobile operator customer, spoofing legitimate Gemalto e-mail addresses.

"By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft," the company said. The firm said intelligence services would only be able to spy on 2G mobile networks, and that 3G and 4G networks are not vulnerable to that type of attack.

In a statement, GCHQ said it does not comment on intelligence matters. It added: "Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee.

"All our operational processes rigorously support this position. In addition, the United Kingdom's interception regime is entirely compatible with the European Convention on Human Rights."

The NSA has been approached for comment.

Contributing: Associated Press