Sim card maker Gemalto says it was hacked by GCHQ and NSA but encryption keys are safe

Dutch Sim card maker Gemalto was hit by a huge hack by the British and American intelligence agencies, but they were probably unable to steal the encryption keys that they were after, the company has claimed.

It was reported last week that GCHQ and the NSA had broken into the company’s databases and stolen encryption keys, which was compared to getting a master key for a block of flats and helping the two organisations listen in on communications. But at a press conference this morning the company said that the 2010 and 2011 attacks “only breached its office networks and could not have resulted in a massive theft of Sim encryption keys".

The company makes Sim cards for many of the biggest phone networks across the world. If intelligence agencies had got hold of the keys users would have no idea that the data had been intercepted.

The hacking attempted to steal the keys as they were sent between networks and the company itself. “By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft,” the company said in a statement.

The company said that it had “reasonable grounds to believe” that the cyberattacks “probably happened”. But it also said that such an attack could not have given the organisations access to the keys.

The hack, first reported by The Intercept, was revealed in documents leaked by Edward Snowden.

The company said that its comments “assume that the published documents are real and refer accurately to events that occurred during 2010 and 2011”.