By Amir Mizroch in London And Maarten van Tartwijk in Amsterdam
European government officials, telecom executives and
shareholders rushed Friday to respond to a report that U.S. and
British intelligence agencies breached security systems at Gemalto
NV, one of the world's biggest cellphone SIM-card providers.
The alleged hack, reported by a news site that has been a
conduit of leaks from former National Security Agency contractor
Edward Snowden, raised fresh questions in Europe about whether
Western governments have attempted to tap into private companies to
gain access to personal-communication data, potentially
circumventing legal procedures and privacy safeguards.
Earlier reports citing leaked documents from Mr. Snowden have
alleged U.S. and British spies have attempted to secretly tap into
tech and telecommunications companies, including Google Inc. But
the new report--published Thursday by the Intercept, a news site
set up by American journalist Glenn Greenwald, a primary conduit
for Snowden leaks--did more than raise questions about privacy
concerns. It also hit shareholders hard.
Gemalto ships SIM cards to some of the world's biggest
telecommunications carriers, including Verizon Communications Inc.,
Vodafone Group PLC and China Mobile Ltd. Industry analysts raised
the prospect of financial repercussions for the company should the
report stir broader worry about whether the SIM cards it provides
were vulnerable to snooping.
Shares in Gemalto, based in France and the Netherlands, ended
trading down almost 4%, recovering somewhat from a nearly 10% drop
earlier in the day. Friday's selling wiped out about EUR230 million
($262 million) from the stock-market value of the company.
Gemalto said it was investigating the report. "We cannot at this
early stage verify the findings of the publication and had no prior
knowledge that these agencies were conducting this operation,"
Gemalto said in a written statement. "We take this publication very
seriously and will devote all our resources necessary to fully
investigate and understand the scope of such sophisticated
techniques."
The report triggered angry reaction from some European
politicians, who have ratcheted up scrutiny of U.S. technology
firms, as well as U.S. and British intelligence practices, amid
previous Snowden leaks.
Jan Philipp Albrecht, chief negotiator for the European
Parliament for the European Union's proposed new data protection
law, urged the Dutch government to open an investigation. A
spokeswoman for the Dutch interior ministry declined to comment
about any probe.
Meanwhile, some of Europe's biggest telecom providers hurried to
determine any vulnerability to customers. Managers and technicians
at Deutsche Telekom AG, which uses Gemalto SIM cards, gathered
Friday to assess possible collateral damage from the alleged hack,
according to a spokesman.
Deutsche Telekom called for Gemalto to provide a full accounting
of what it knows about any alleged security breach. In a statement,
the German company said it tweaks the standard encryption algorithm
embedded in Gemalto SIM cards, a practice it said should protect
Deutsche Telekom customers from any privacy breach.
"We currently have no knowledge that this additional protection
mechanism has been compromised," Deutsche Telekom said in a
statement. "However, we cannot rule out this completely," the
company said.
Bouygues Telecom, a mobile telephone operator in France and
another Gemalto customer, said it had contacted Gemalto for
information about the possible hack. "We take the issue very
seriously," a spokeswoman said.
China Mobile, the world's biggest telecom provider by
subscribers, wasn't reachable for comment. No. 2 provider Vodafone
said "we have no further details of these allegations which are
industrywide in nature and are not focused on any one mobile
operator. We will support industry bodies and Gemalto in their
investigations."
The Intercept report alleges that the U.S. National Security
Agency and the U.K.'s Government Communications Headquarters, or
GCHQ, attempted in 2010 to steal Gemalto encryption keys. It cites
GCHQ documents describing a joint GCHQ-NSA team called the Mobile
Handset Exploitation Team. It alleges British and American spies
monitored and mined the private email and Facebook communications
of engineers and other Gemalto employees around the world, to
identify employees working on encryption and SIM products.
According to documents leaked to the Intercept, government
hackers said they had gained access to "core mobile networks" by
penetrating Gemalto's computer systems and intercepting encryption
keys the company implants into the SIM cards it ships to
customers.
GCHQ, in a statement, said it doesn't comment on intelligence
matters. But it said all of its work "is carried out in accordance
with a strict legal and policy framework, which ensures that our
activities are authorized, necessary and proportionate" and that it
is subject to "rigorous oversight" by the government and
parliament. "All our operational processes rigorously support this
position. In addition, the U.K.'s interception regime is entirely
compatible with the European Convention on Human Rights," GCHQ
said.
A representative for the NSA couldn't be reached for comment.
The U.S. embassy in the Netherlands didn't return a call for
comment.
Gemalto develops and installs security and identification
software in a line of products, including SIM cards, which go into
cellphones, payment cards and electronic identification documents.
SIM cards in phones are embedded with an encryption key--a
mathematical code that conducts a "digital handshake" with a mobile
carrier's network, which has the corresponding encryption key for
that specific SIM card. Once that digital identification process is
completed, the call or data transfer is encrypted and can proceed
in both directions.
Obtaining SIM-card security keys could help an intelligence
agency intercept and decrypt over-the-air cellular transmissions
from any phone whose key had been stolen, a former European
intelligence official said. That could ease short-range
interception of newer phones that use a more sophisticated type of
SIM-card-based encryption, the former intelligence official
said.
U.S. carriers are still getting their heads around the issue.
Sprint Corp. and Verizon didn't use SIM cards in their phones at
all until after 2011 when they transitioned to new technology. Even
with SIM-card keys, it would still be difficult to decrypt
communications, said a person familiar with the matter.
If Gemalto finds evidence of a security breach, it could trigger
calls for the company and its customers to recall its chips, some
analysts said. According to its website, Gemalto has 450
mobile-network operators as customers. It recorded EUR2.4 billion
($2.72 billion) in revenue in 2013.
"Gemalto could be forced to replace a large number of SIM cards,
which could be a costly exercise," analysts at Dutch lender
Rabobank wrote Friday in a research note. "Gemalto has a lot to
lose here."
The SIM-card manufacturing industry is dominated by a handful of
European firms, including Gemalto and privately held Oberthur
Technologies of France and Germany's Giesecke & Devrient
GmbH.
Oberthur declined to comment. Giesecke & Devrient said it
had no indication it was subjected to anything similar to the
incident at Gemalto.
Write to Amir Mizroch at amir.mizroch@wsj.com and Lisa Fleisher
at lisa.fleisher@wsj.com
Access Investor Kit for Deutsche Telekom AG
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=DE0005557508
Access Investor Kit for Vodafone Group Plc
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=GB00BH4HKS39
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=HK0941009539
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=NL0000400653
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US16941M1099
Access Investor Kit for Deutsche Telekom AG
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US2515661054
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US36863N2080
Access Investor Kit for Verizon Communications, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US92343V1044
Access Investor Kit for Vodafone Group Plc
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US92857W3088
Subscribe to WSJ: http://online.wsj.com?mod=djnwires