Spies Hack Gemalto Networks, Steal Encryption Keys

Mobile ID Industry News Roundup: PayPal Leadership, Touch ID and Concern Versus ActionDutch mobile security company Gemalto has suffered a major security breach, according to an investigation by Jeremy Scahill and Josh Begley for The Intercept. British and American spy agencies apparently hacked into the company’s servers and stole encryption keys used to protect the SIM cards on Gemalto client phones.

The spy agencies in question are the British Government Communications Headquarters (GCHQ) and America’s National Security Agency (NSA). The breach actually occurred several years ago; the journalists found its details in a 2010 GCHQ document. According to their investigation, the spies were able to penetrate Gemalto’s networks with total stealth, leaving no trace of their breaches, and the stolen encryption keys could be used to monitor mobile communications in secret, without the need to obtain permission from telecom providers or governments.

Interviewed for the article, Gemalto VP Paul Beverly said he was “disturbed, quite concerned that this has happened.” When asked if the spy agencies had ever requested permission to access the encryption keys, he said, “To the best of my knowledge, no.”

This comes at a time when the company appeared to be enjoying a growing, positive profile – just last month it opened a new office in Côte d’Ivoire, and last fall its executives were high-profile panelists at the 2014 Money20/20 conference. The company had posted strong revenues in October and seemed to be growing on the strength of the mCommerce wave. Now, as Scahill and Begley note, it’s anyone’s guess whether data associated with Gemalto’s mCommerce operations in the hands of British and American spies.