Gemalto Acknowledges Data Breach, But Says No Products Are Affected

Gemalto NV, the world's largest provider of high-security mobile-phone and bank-card chips, said U.S. and U.K. spies were probably behind the most sophisticated computer attacks on its networks in at least five years — though failed to steal a large amount of data.

Intrusions into the outer layer of Gemalto's networks in 2010 and 2011 appear to be linked to operations by U.S. and U.K. intelligence agencies, the company said Wednesday. The hackers sought keys used to encrypt mobile-phone conversations, messages and data traffic, which allow the monitoring of communications without having the permission to wiretap.

"We didn't know who the attackers were, but we knew right away in 2010 that this wasn't your basic hacker," Chief Executive Officer Olivier Piou said at a press conference in Paris. "This came from someone sophisticated, with deep pockets. We haven't had any attacks of this magnitude since."

Gemalto, which provides security software to companies from Visa Inc. and MasterCard Inc. to phone carriers, such as AT&T Inc., is responding to a report last week saying spies intercepted SIM-card encoders as they were being shipped to phone companies in countries including Afghanistan, Iran and India. The report, by the Intercept, cited documents from former U.S. National Security Agency contractor Edward Snowden.

Banks, Governments

It's unlikely the spies managed to steal a large amount of encryption keys, Gemalto said. The Snowden documents showed that SIM-card makers accounted for only a minority of the parties targeted, it said.

"None of our products are affected and there's no significant financial risk," Piou said. The company doesn't intend to pursue legal action and hasn't reached out to the NSA or the U.K.'s Government Communications Headquarters, he said.

Shares of Gemalto gained as much as 3.4 percent and rose 2.9 percent to 71.40 euros at 2:20 p.m. in Amsterdam, giving the company a market capitalization of 6.3 billion euros ($7.2 billion).

Under Piou, 56, Gemalto has diversified from selling SIMs for phones and chips for bank cards. It now develops security and encryption technology for passports, electronic contracts and payment services, for clients including governments, banks and companies such as Microsoft Corp. and Boeing Co.

Client Audits

Such customers each year make their own audit of how secure Gemalto's systems are. About 500 audits were conducted last year, and the company made adjustments to reflect the feedback it received, Piou said. Gemalto spends about 10 million euros each year on upgrading its security.

"Even for a special team of U.K. and U.S. intelligence guys, it took more than a year of attempts to get into part of Gemalto's system," Piou said. "If anything, that delay has reassured our customers."

During the course of 2010 and 2011, Gemalto said it recorded several attacks on the external parts of its networks, two of which were particularly noteworthy.

Gemalto Chief Security Officer Patrick Lacruche said raids in June 2010 showed someone was trying to spy on employees' messaging system. A month later, attackers used sophisticated malware to send fraudulent e-mail to one of Gemalto's carrier clients. Gemalto declined to say which customer it was.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER