That they didn't find a breach doesn't mean it hasn't happened.
It could have been an inside job, if anyone can get an impeccable CV for working at Gemalto it's a spook.
Presumably Gemalto contracts out some operations to third parties. Whatever was found on their LAN was probably useful in infiltrating them.
Edit: Gemalto say prepay SIMs (and in most cases that means their phones too) are chucked after 3-6 months. O'Rly?
Etc... etc...