Gemalto NV (GTOFF) published the findings of an internal inquiry into the hacking of its internal networks by U.S. and U.K. spy agencies in 2010/2011, saying that the impact was limited and couldn’t affect the security of its more recent products.
The Dutch-based, NASDAQ-listed company said in a statement that although its network had been hacked, this “could not have resulted in a massive theft of SIM encryption keys” by the National Security Agency and the British Government Communications Headquarters, or GCHQ, as originally claimed in an article published last week in The Intercept.
The article was based on leaked documents provided by the former NSA contractor and whistleblower Edward Snowden.
Gemalto is one of the world’s largest makers of SIM cards, and counts all three major U.S. providers and China Mobile among its clients. However, the report said that the hacks focused on SIMs provided to network operators in countries such as Afghanistan, Yemen and Pakistan.
Gemalto said the attacks had only penetrated an outer layer of its corporate network, the one in contact with the outside world.
“The SIM encryption keys and other customer data in general, are not stored on these networks,” Gemalto said. “It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.”
Even if encryption keys had been stolen, it added, the NSA and GCHQ couldn’t have used them on the new generation of 3G and 4G SIM cards that are now in circulation. These are all fitted out with extra encryption features that make stolen keys unusable, it said.
It also added that none of its other products, such as identity documents, were affected by the attack–an important reassurance to investors because such products are vital to the company’s strategy of growing beyond its role as a SIM-card maker.
Investors in Gemalto appear to have regained their composure after the initial shock. The company’s shares rose 3% on the back of the announcement, and are now less than 2% below where they were before news of the hack broke.
Even today, Gemalto says it can’t verify who was behind the attacks in 2010 and 2011. However, it added that “we are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion.”