The recently disclosed Gemalto breach brings heightened concerns to security professionals and organizations alike.  According to the published report by The Intercept, Gemalto (a company that operates in 85 countries and has more than 40 manufacturing facilities) was breached by U.S. and U.K. intelligence agencies in 2010.

Key details of the Gemalto breach

  • In the published report it states that the British intelligence agency penetrated Gemalto’s internal networks by planting malware on several computers.
  • They targeted unnamed cellular companies’ core networks, which gave them access to sales staff machines for customer information and network engineers’ machines for network maps.
  • They claim to have the ability to manipulate the billing servers of cell companies to suppress charges to conceal the spy agency’s secret actions against an individual’s phone.
  • They penetrated “authentication servers,” allowing the agencies to decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network.

The breach gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications in real time.  Gemalto produces around 2 billion SIM cards a year and with stolen encryption keys (from major wireless network providers) the intelligence agencies can monitor mobile communications without approval from governments or telecom companies.  With encryption keys decrypting traffic is very, very easy, which is extremely bad news for phone security.

Gemalto was not aware of any penetration to its systems and the spying that took place on its employees until The Intercept report.  Yet, only a week following the news about the breach, Gemalto is claiming that although they were hacked, its segmented internal networks (where sensitive encryption keys are stored) were not breached.

Information security experts question these assertions and view the short time it took Gemalto to investigate the attack as a red flag.  Just look at Target and Sony Pictures Entertainment’s investigations; they did not disclose details and the extent of their breach until months after they started investigating.  Also, Gemalto has made no mention of hiring a third-party investigation to review their investigation.  With a compromise of the magnitude they’re facing, a re-assessment is a must.

A breach is bad enough, but not taking a detailed approach to the investigation puts the company and its customers at risk.  Hopefully Gemalto will continue to investigate the breach to ensure there is no impact from it for their business and customers.

 

Photo courtesy of stockhits