Dutch SIM-card maker Germalto is denying reports that its encryption keys were stolen by the U.S. National Security Agency and British intelligence. The spy agencies “probably” did infiltrate Germalto's networks, the company admitted, but at the time of the hack, Germalto had already put a “secure transfer system” in place that would have fended off cyberattackers.
Germalto on Wednesday presented the findings of an internal investigation that was launched in response to a report on the Intercept, which, based on the leaks from former NSA contractor Edward Snowden, declared that American and British spies had access to the SIM cards -- the small personal identifier chips implanted in every cell phone -- on tens of millions of phones, monitoring users without authorization from courts or phone companies.
Germalto makes an estimated 2 billion SIM cards every year, working closely with AT&T, Verizon and Sprint. “If we look back at the period covered by the documents from the NSA and GCHQ (British Government Communications Headquarters), we can confirm that we experienced many attacks. In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation,” the company said.
Germalto admitted its office networks had been compromised but suggested that the hack “could not have resulted in a massive theft of encryption keys” before later saying there are “rare exceptions” when security can be compromised. The breach is only the latest troubling disclosure from the Snowden files, which sparked an ongoing debate over government surveillance and the importance of security relative to privacy.
“Trust in the security of our communications systems are essential for our society and for businesses to operate with confidence,” Eric King, deputy director of Privacy International, told the New York Times. “The impact of these latest revelations will have ripples all over the world.”