Gemalto NV, the largest maker of mobile-phone cards and a manufacturer of EMV card chips, said it's investigating a report that U.S. and U.K. spies allegedly hacked into its computer network to steal the keys used to encrypt conversations, messages and data traffic.
The U.K.'s Government Communications Headquarters and the U.S. National Security Agency started intercepting the encoders in 2010 as they were being shipped to phone companies, allowing them to monitor wireless communications and bypass the need to get permission for wiretapping, the Intercept reported Thursday, citing documents from former NSA contractor Edward Snowden.
Gemalto is a particularly valuable holder of the keys as the French company produces 2 billion SIM cards every year, according to the report.
"The publication indicates the target was not Gemalto per se it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent," Gemalto said in a press statement Friday, adding it couldn't immediately verify the findings in the report.
In an e-mailed statement, GCHQ said it couldn't comment on intelligence matters, citing agency policy.
The theft of encryption keys would potentially allow U.S. and U.K. agencies to also unlock communications it had recorded but was previously unable to unlock, the Intercept said.
A U.K. court this month ruled against the nation's spy agencies for the first time, saying its mass collection of Internet and phone data was illegal until late last year. The data-sharing program with U.S. agencies contravened privacy and free-speech provisions in the European Convention on Human Rights, the Investigatory Powers Tribunal said Feb. 6 in London.
According to the Intercept, the spies planted malware on several of Gemalto's computers and obtained access to private communications among employees to help them set up the theft. They also targeted unidentified mobile-phone companies to gain insight into customers and network maps, and tapped into authentication servers that verify communication between an end user and the network operator, according to the report.
While individual hackers are responsible for the lion's share of security breaches, state-sponsored attackers typically can afford large teams and expensive hardware to help them carry out complex assaults on company and government computer systems.
While calls and messages transmitted over older networks, such as those based on 2G technology, can be decrypted with little more than a powerful computer and some mathematic shortcuts, private hacker and secret services alike are finding it harder to break security locks used for 3G and 4G systems that have become more popular. That makes the acquisition of keys a worthwhile endeavor.
The Intercept is a publication founded by Glenn Greenwald, Laura Poitras, and Jeremy Scahill to report and explain the findings in the documents supplied by Snowden.
Gemalto, whose headquarters are in Amsterdam, fell 7.5 percent to 67.17 euros at 10:49 a.m. on the local exchange, for a market value of 6 billion euros ($6.8 billion). The company said it had detected and mitigated many types of hacking attempts over the years.
"At present we cannot prove a link between those past attempts and what was reported yesterday," it said. "There have been many reported state sponsored attacks as of late, that all have gained attention both in the media and amongst businesses, this truly emphasizes how serious cyber security is in this day and age."