Gemalto acknowledges it was probably victim of spies

A file picture taken on November 10, 2009 shows an employee walking outside the Gemalto building, the world's leading digital security firm, in Gemenos, southern France. Gemalto NV, the maker of mobile-phone card software, said Wednesday it dete
A file picture taken on November 10, 2009 shows an employee walking outside the Gemalto building, the world's leading digital security firm, in Gemenos, southern France. Gemalto NV, the maker of mobile-phone card software, said Wednesday it detected sophisticated attacks on its networks that were probably carried out by U.S. and U.K. intelligence agencies, but didn’t result in massive theft of keys used to encrypt conversations, messages and data traffic. -- PHOTO: AFP

PARIS (REUTERS) - Gemalto, the world's largest maker of mobile SIM cards, said a preliminary company probe of sophisticated attacks against it in 2010 and 2011 showed British and United States intelligence services "probably" hacked into its office networks. But the company said it would not pursue any legal action against government agencies it says could be behind the large-scale hacking attempt as chances of success are nearly nonexistent. 

Gemalto said the suspected attacks by the US National Security Agency (NSA) and Britain's Government Communications Headquarters (GCHQ) "probably happened", but said the intrusions"only breached its office networks" and "could not have resulted in a massive theft of SIM encryption keys".

The Franco-Dutch company was responding to a report by investigative news site The Intercept, which last week published documents it said showed that US and British spies hacked into Gemalto, potentially allowing them to monitor the calls, texts and emails of billions of mobile users around the world.

Gemalto said the spy operation aimed to intercept the encryption codes needed to unlock security for Subscriber Identity Modules (SIMs) while the modules were shipped from its production facilities to mobile network operators worldwide.

However, the company argued that the break-ins were limited to rare exceptions, that they were likely to only have affected older model phones that are widely used in emerging markets and that other Gemalto products for secure financial payments were unaffected. "By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft," it said.

Gemalto added that intelligence services would only be able to spy on communications on second-generation 2G mobile networks as 3G and 4G networks were not vulnerable to this type of attack. "None of our other products were impacted by this attack,"Gemalto added.

Gemalto said on Wednesday that it had experienced many attacks during the period covered in the Intercept report. "In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation," the company acknowledged on Wednesday.

Its chief executive officer Olivier Piou told a news conference it was not likely to consider legal action. “The facts are hard to prove from a legal perspective and ... the history of going after a state shows it is costly, lengthy and rather arbitrary,” Mr Piou told a news conference.