Did U.S., U.K. Spies Attack SIM-Card Maker Gemalto’s Network?

Gemalto Chief Executive Officer Olivier Piou

Under Chief Executive Officer Olivier Piou, Gemalto has diversified and developed security and encryption technology for passports, electronic contracts and payment services using mobiles and bank cards. Photographer: Angel Navarrete/Bloomberg

(Bloomberg) — Gemalto NV, the world’s largest provider of
high-security mobile-phone and bank-card chips, said U.S. and
U.K. spies were probably behind the most sophisticated computer
attacks on its networks in at least five years — though failed
to steal a large amount of data.

Intrusions into the outer layer of Gemalto’s networks in
2010 and 2011 appear to be linked to operations by U.S. and U.K.
intelligence agencies, the company said Wednesday. The hackers
sought keys used to encrypt mobile-phone conversations, messages
and data traffic, which allow the monitoring of communications
without having the permission to wiretap.

“We didn’t know who the attackers were, but we knew right
away in 2010 that this wasn’t your basic hacker,” Chief
Executive Officer Olivier Piou said at a press conference in
Paris. “This came from someone sophisticated, with deep
pockets. We haven’t had any attacks of this magnitude since.”

Gemalto, which provides security software to companies from
Visa Inc. and MasterCard Inc. to phone carriers, such as AT&T
Inc., is responding to a report last week saying spies
intercepted SIM-card encoders as they were being shipped to
phone companies in countries including Afghanistan, Iran and
India. The report, by the Intercept, cited documents from former
U.S. National Security Agency contractor Edward Snowden.

Banks, Governments

It’s unlikely the spies managed to steal a large amount of
encryption keys, Gemalto said. The Snowden documents showed that
SIM-card makers accounted for only a minority of the parties
targeted, it said.

“None of our products are affected and there’s no
significant financial risk,” Piou said. The company doesn’t
intend to pursue legal action and hasn’t reached out to the NSA
or the U.K.’s Government Communications Headquarters, he said.

Shares of Gemalto gained as much as 3.4 percent and rose
2.9 percent to 71.40 euros at 2:20 p.m. in Amsterdam, giving the
company a market capitalization of 6.3 billion euros ($7.2
billion).

Under Piou, 56, Gemalto has diversified from selling SIMs
for phones and chips for bank cards. It now develops security
and encryption technology for passports, electronic contracts
and payment services, for clients including governments, banks
and companies such as Microsoft Corp. and Boeing Co.

Client Audits

Such customers each year make their own audit of how secure
Gemalto’s systems are. About 500 audits were conducted last
year, and the company made adjustments to reflect the feedback
it received, Piou said. Gemalto spends about 10 million euros
each year on upgrading its security.

“Even for a special team of U.K. and U.S. intelligence
guys, it took more than a year of attempts to get into part of
Gemalto’s system,” Piou said. “If anything, that delay has
reassured our customers.”

During the course of 2010 and 2011, Gemalto said it
recorded several attacks on the external parts of its networks,
two of which were particularly noteworthy.

Gemalto Chief Security Officer Patrick Lacruche said raids
in June 2010 showed someone was trying to spy on employees’
messaging system. A month later, attackers used sophisticated
malware to send fraudulent e-mail to one of Gemalto’s carrier
clients. Gemalto declined to say which customer it was.

To contact the reporter on this story:
Marie Mawad in Paris at
mmawad1@bloomberg.net

To contact the editors responsible for this story:
Kenneth Wong at
kwong11@bloomberg.net
Ville Heiskanen