Daragh O’Brien has a blog post on the Gemalto security mess and what the responsibility of Irish telcos might be, as he understands it:
My view is that telcos in Ireland, and potentially other EU countries, would need to inform their customers, and telcos should ideally be looking for a solution to reinstate the security of the SIM-to-Network link and issue new SIM cards to their subscribers. While National Security is outside the remit of the Data Protection laws and ePrivacy directives, that should be interpreted narrowly to relate to the actions of the Intelligence services in their spying. Hacking Gemalto may have been just on the right side of the line (I’m not saying that it is). However, it creates a problem for Telecoms companies in that the day to day operation of their networks is not a National Security or Intelligence service activity and the networks are now compromised if the telecoms company uses Gemalto SIM cards.
That will be costly and complex and, inevitably, telecoms companies will pass the cost on to their customers (it’s a tight margin business at the best of times, and reinstating a chunk of your customers with new SIMs is not to be undertaken lightly).
Read more on DOBlog. I’m trying to determine if any data protection authority has issued any statement in response to the situation, but so far, no joy.