Last week, a report in The Intercept revealed that GCHQ and NSA managed to hack into all of Gemalto's systems and steal encryption keys for its SIM cards, credit card chips and so on. Gemalto is currently the largest SIM chip manufacturer in the world, serving over 3,000 banks and 450 carriers.
Such a hack could have potentially disastrous financial implications for the company. Within a day, the company had already lost $500 million in stock value. For a security company, having trustworthy products is critical to keeping customers buying products.
This is why Gemalto has already come out and made a statement today, saying that its SIM chips are secure.
“Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure and the Company doesn't expect to endure a significant financial prejudice," read a statement on its website.
However, the statement seems to be quite vague. For one thing, Gemalto doesn't address the issue of having its systems compromised in the past, even if they may have fixed all the security holes. Gemalto's products may be secure now, but what about all the billions of SIM cards on the market that have compromised keys? The company seems to completely sidestep this issue.
The second problem with the statement is that it seems unlikely the company could fix all of its systems in 40 countries, over the weekend, after having the GCHQ and NSA go through their systems and implant malware since 2010. Therefore, it sounds more like this statement is designed to appease both shareholders, who have lost some trust in the company's stock, but also its customers (carriers, banks, etc.).
In fact, since the company published the statement, its stock value began rising:
Security experts such as Matthew Green, a professor of cryptography at Johns Hopkins University, don't seem to believe Gemalto:
Much like Lenovo, Gemalto responded to a very serious security issue with a statement that completely dismissed the concerns of security experts. Lenovo later retracted its statement that said there were no security issues, realizing how irresponsible that was, so it remains to be seen if Gemalto will do the same. The company will hold a press conference (Paris, 10:30 am) on Wednesday to offer more details.