Gemalto reassured investors this morning that the alleged attacks by U.S. and U.K. government agents only breached the company's office network and could not have led to theft of encryption keys, which are considered an important part of digital payments security.
The probe began after The Intercept reported on documents exposed by former NSA contractor Edward Snowden. According to the documents, the U.S.' National Security Agency (NSA) and the U.K.'s Government Communications Headquarters (GCHQ) intercepted Gemalto's encoders in 2010. Gemalto is the largest manufacturer of mobile SIM cards and EMV chips.
While Gemalto did experience several attacks between 2010 and 2011 that were particularly sophisticated, these attackers only breached the outer perimeter of Gemalto networks which are those that employees use to communicate with customers and each other.
"As a digital security company, people try to hack Gemalto on a regular basis," the company said in a February 25 press release. "These intrusion attempts are more or less sophisticated and we are used to dealing with them. Most are not successful while only a few penetrate the outer level of our highly secure network architecture."
Gemalto now says these attacks were related to the NSA and GCHQ attempts to gain access to SIM encryption keys and other customer data.
"It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data," the company said. "No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports."
Since the news, the payments industry has been on edge raising doubts over security measures the payment industry has embraced. But more than worry, the incident should highlight the importance of layered security.
"In today's world, any organization could be subject to a cyber-attack," Gemalto said, adding that advanced data encryption is key.
The Snowden documents indicated that mobile operators in several controversial countries were targeted, including Afghanistan, Yemen, Somalia, Pakistan, Iran, India, Serbia, Tajikistan and Iceland.
But most data was protected as Gemalto implemented a highly secure exchange process between its operators before 2010, Gemalto said.
The company also stated that it has never sold SIM cards to four of the 12 operators, particularly the Somali carrier that reportedly had 300,000 keys stolen, listed in the document Snowden released.
Gemalto said interception techniques did not produce results with Pakistani operators. The company didn't include specifics on other countries, but said operators and suppliers might not have opted to use the secure exchange process.
Even if key theft would have occurred, Gemalto said, the government agencies would only have been able to spy on 2G mobile networks; 3G and 4G networks have been updated and are not vulnerable to the type of attack perpetrated.