By Amir Mizroch in London And Maarten van Tartwijk in Amsterdam
Dutch digital-security firm Gemalto NV scrambled Friday to
respond to a report that U.S. and British intelligence agencies
hacked into the company--one of the world's biggest cellphone
SIM-card providers, with customers including Vodafone Group PLC and
Verizon Communications Inc.
The alleged hack--reported by a news site that has been a
conduit of leaks from former National Security Agency contractor
Edward Snowden--raises fresh questions about Western governments'
attempts to tap into private companies to gain access to
personal-communication data, potentially circumventing legal
procedures and privacy safeguards.
For Gemalto, based in France and the Netherlands, it also raises
the prospect of significant financial pain, with some analysts
saying the company may be forced to recall chips if the alleged
leak raises widespread worry among telecommunications customers or
individual users over privacy.
Jan Philipp Albrecht, chief negotiator for the European
Parliament on the European Union's data protection law, urged the
Dutch government to open an investigation into the alleged Gemalto
hack, which he said was "obviously based on some illegal
activities."
"Member states like the U.K. are frankly not respecting the [law
of the] Netherlands and partner states," he said.
EU institutions are prohibited from investigating such cases
because national security matters are left to national governments,
and are exempt from EU law.
"We even get letters from the U.K. government saying we
shouldn't deal with these issues because it's their own issue of
national security," Mr. Albrecht said.
Shares in Gemalto fell nearly 7% at one stage in Friday morning
trading in Amsterdam.
The company said it was investigating the alleged breach after a
report Thursday by the Intercept, a news site set up by Glenn
Greenwald, the American journalist who has been a principal
disseminator of classified material from Mr. Snowden.
"We cannot at this early stage verify the findings of the
publication and had no prior knowledge that these agencies were
conducting this operation," Gemalto said in a written statement.
"We take this publication very seriously and will devote all our
resources necessary to fully investigate and understand the scope
of such sophisticated techniques."
The report alleges that the U.S. NSA and the U.K.'s Government
Communications Headquarters, or GCHQ, started hacking the company
in 2010 to steal encryption keys used to protect the privacy of
mobile-phone communications. It cites GCHQ documents describing a
joint GCHQ-NSA team called the Mobile Handset Exploitation Team. It
alleges British and American spies monitored and mined the private
email and Facebook communications of engineers and other Gemalto
employees around the world, to identify employees working on
encryption and SIM products.
According to the leaked documents, government hackers said they
had gained access to "core mobile networks" through penetrating
Gemalto's computer systems and intercepting encryption keys the
company implants into the SIM cards it ships to customers. The
company sends a corresponding key to its mobile-operator
customers.
"Successfully implanted several machines and believe we have
their entire network," one leaked document said.
GCHQ, in a statement, said it doesn't comment on intelligence
matters. But it said all of its work "is carried out in accordance
with a strict legal and policy framework, which ensures that our
activities are authorized, necessary and proportionate" and that it
is subject to "rigorous oversight" by the government and
parliament. "All our operational processes rigorously support this
position. In addition, the U.K.'s interception regime is entirely
compatible with the European Convention on Human Rights," GCHQ
said.
A representative of the NSA couldn't be reached for comment. A
spokesperson for the U.S. Embassy in the Netherlands wasn't
immediately available for comment.
Gemalto develops and installs security and identification
software in a line of products such as SIM cards, which go into
cellphones, payment cards and electronic identification documents.
SIM cards in phones are embedded with an encryption key--a
mathematical code that conducts a "digital handshake" with a mobile
carrier's network, which has the corresponding encryption key for
that specific SIM card. Once that digital identification process
has been completed, the call or data transfer is encrypted and can
proceed in both directions. According to its website, Gemalto has
450 mobile-network operators as customers. It recorded EUR2.4
billion ($2.72 billion) in revenue in 2013.
The alleged breach isn't the first instance in which a Western
government agency has been accused of tapping into the
infrastructure of a private company to gain access to personal
communications. Previous leaks by Mr. Snowden allege U.S. and
British agencies have attempted to access infrastructure at big
American tech companies, including Google Inc., without those
companies' knowledge to access individual communications and
data.
Telecom and tech companies have also routinely provided
authorities in the U.S., Britain and beyond with data about
cellphone users after specific requests by those agencies. But
those requests are typically routed through courts or other legal
procedures.
Microsoft Corp., Google, Yahoo Inc. and Facebook Inc., for
instance, all supply user data to the NSA, in response to secret
orders from a Foreign Intelligence Surveillance court, under a
program known as Prism that was previously disclosed in Snowden
leaks.
Because of Gemalto's position as a provider of SIM cards, the
alleged hack opens up a potentially new avenue through which
Western agencies may have worked to obtain cellphone data carried
on dozens of large telecom networks around the world.
If Gemalto finds evidence of a security breach, it could trigger
calls for the company and its customers to recall its chips, some
analysts said.
"Gemalto could be forced to replace a large number of SIM cards,
which could be a costly exercise," analysts at Dutch lender
Rabobank wrote Friday in a research note. "Gemalto has a lot to
lose here."
Spokespeople for China Mobile, the world's largest telecom
provider by subscribers, and several other big Gemalto customers
weren't immediately available for comment.
In a statement, Vodafone, No. 2 behind China Mobile, said "we
have no further details of these allegations which are industrywide
in nature and are not focused on any one mobile operator. We will
support industry bodies and Gemalto in their investigations."
Tom Fairless in Brussels contributed to this article.
Write to Amir Mizroch at amir.mizroch@wsj.com and Maarten van
Tartwijk at maarten.vantartwijk@wsj.com
Access Investor Kit for Vodafone Group Plc
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=GB00BH4HKS39
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=HK0941009539
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=NL0000400653
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US16941M1099
Access Investor Kit for Facebook, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US30303M1027
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US36863N2080
Access Investor Kit for Google, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US38259P5089
Access Investor Kit for Google, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US38259P7069
Access Investor Kit for Verizon Communications, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US92343V1044
Access Investor Kit for Vodafone Group Plc
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US92857W3088
Subscribe to WSJ: http://online.wsj.com?mod=djnwires