By Amir Mizroch in London And Maarten van Tartwijk in Amsterdam
Gemalto NV, one of the world's largest cellphone SIM-card
providers, scrambled Friday to respond to a report that U.S. and
British intelligence agencies hacked into its systems.
The alleged hack--reported by a news site that has been a
conduit of leaks from former National Security Agency contractor
Edward Snowden--raises fresh questions about Western governments'
attempts to tap into private companies to gain access to
personal-communication data, potentially circumventing legal
procedures and privacy safeguards.
For Netherlands-based Gemalto, it also raises the prospect of
significant financial pain, with some analysts saying the company
may be forced to recall chips if the alleged leak raises widespread
worry among telecommunications customers or individual users over
privacy.
Shares in the digital-security company--whose customers include
customers including telecommunications giants China Mobile Ltd.,
Vodafone Group PLC and Verizon Communications Inc.--fell nearly 7%
at one stage in Friday morning trading in Amsterdam.
Gemalto said it was investigating the alleged breach after a
report Thursday by the Intercept, a news site set up by Glenn
Greenwald, the American journalist who has been a principal
disseminator of classified material from Mr. Snowden.
"We cannot at this early stage verify the findings of the
publication and had no prior knowledge that these agencies were
conducting this operation," Gemalto said in a written statement.
"We take this publication very seriously and will devote all our
resources necessary to fully investigate and understand the scope
of such sophisticated techniques."
The report alleges that the U.S. NSA and the U.K.'s Government
Communications Headquarters, or GCHQ, started hacking the company
in 2010 to steal encryption keys used to protect the privacy of
mobile-phone communications. It cites GCHQ documents describing a
joint GCHQ-NSA team called the Mobile Handset Exploitation Team.
According to the leaked document, government hackers said they had
gained access to "core mobile networks" through penetrating
Gemalto's computer systems and intercepting encryption keys the
company implants into the SIM cards it ships to customers. The
company sends a corresopnding key to its mobile-operator
customers.
"Successfully implanted several machines and believe we have
their entire network," one leaked document said.
GCHQ, in a statement, said it doesn't comment on intelligence
matters. But it said all of its work "is carried out in accordance
with a strict legal and policy framework, which ensures that our
activities are authorized, necessary and proportionate" and that it
is subject to "rigorous oversight" by the government and
parliament. "All our operational processes rigorously support this
position. In addition, the U.K.'s interception regime is entirely
compatible with the European Convention on Human Rights," GCHQ
said.
A representative of the NSA couldn't be reached for comment. A
spokesperson for the U.S. Embassy in the Netherlands wasn't
immediately available for comment.
Gemalto develops and installs security and identification
software in a line of products such as SIM cards, which go into
cellphones, payment cards and electronic identification documents.
SIM cards in phones are embedded with an encryption key--a
mathematical code that conducts a "digital handshake" with a mobile
carrier's network, which has the corresponding encryption key for
that specific SIM card. Once that digital identification process
has been completed, the call or data transfer is encrypted and can
proceed in both directions. According to its website, Gemalto has
450 mobile-network operators as customers. It recorded EUR2.4
billion ($2.72 billion) in revenue in 2013.
The alleged breach isn't the first instance in which a Western
government agency has been accused of tapping into the
infrastructure of a private company to gain access to personal
communications. Previous leaks by Mr. Snowden allege U.S. and
British agencies have attempted to access infrastructure at big
American tech companies, including Google Inc., without those
companies' knowledge to access individual communications and
data.
Telecommunications and tech companies have also routinely
provided authorities in the U.S., Britain and beyond with data
about cellphone users after specific requests by those agencies.
But those requests are typically routed through courts or other
legal procedures.
Microsoft Corp., Google, Yahoo Inc. and Facebook Inc., for
instance, all supply user data to the NSA, in response to secret
orders from a Foreign Intelligence Surveillance court, under a
program known as Prism that was previously disclosed in Snowden
leaks.
Because of Gemalto's position as a provider of SIM cards, the
alleged hack opens up a potentially new avenue through which
Western agencies may have worked to obtain cellphone data carried
on dozens of large telecommunications networks around the
world.
If Gemalto finds evidence of a security breach, it could trigger
calls for the company and its customers to recall its chips, some
analysts said.
"Gemalto could be forced to replace a large number of SIM cards,
which could be a costly exercise," analysts at Dutch lender
Rabobank wrote Friday in a research note. "Gemalto has a lot to
lose here."
Spokespeople for China Mobile, the world's largest
telecommunications provider by subscribers, and several other big
Gemalto customers weren't immediately available for comment.
In a statement, Vodafone, No. 2 behind China Mobile, said "we
have no further details of these allegations which are industrywide
in nature and are not focused on any one mobile operator. We will
support industry bodies and Gemalto in their investigations."
Write to Maarten van Tartwijk at maarten.vantartwijk@wsj.com
Access Investor Kit for Vodafone Group Plc
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=GB00BH4HKS39
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=HK0941009539
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=NL0000400653
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US16941M1099
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US36863N2080
Access Investor Kit for Google, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US38259P5089
Access Investor Kit for Google, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US38259P7069
Access Investor Kit for Vodafone Group Plc
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US92857W3088
Subscribe to WSJ: http://online.wsj.com?mod=djnwires