Dutch-based SIM card manufacturer Gemalto has revealed it was attacked by the British and US surveillance agencies GCHQ and NSA, but claims encryption keys for SIMs were not stolen in the attack.
The Intercept reported the attack last week as part of the Edward Snowden NSA leaks. It is the second GCHQ attack on an allied country's company, this time the Netherlands.
Gemalto claims the attack from the two agencies “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys".
The attacks started in 2009 when the GCHQ heard about Gemalto's new SIM card encryption, which could go a long way to removing the intelligence agency's access to private phone communications.
“By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft,” the Gemalto in a statement.
In order to regain control, the GCHQ planned to steal the encryption keys by embedding itself in the Gemalto network. This would allow agents to steal any new keys, giving them unbridled access to phone communications.
Even though Gemalto agreed it had been attacked, it has not said if it will do anything about the apparent attacks from two of the largest intelligence agencies in the world.
Several UK activists have been asking for the British government to do more to bring GCHQ in line, most importantly bringing its programs into the public eye instead of hiding them behind private court cases and undisclosed Parliament agreements.
The UK has oddly been exempt from some of the burned bridges between European countries and the US, despite the GCHQ readily helping and sometimes orchestrating attacks in partnership with the NSA.
In an upcoming European Human Rights case, the UK might be questioned as to the legality of attacking overseas companies for surveillance information.