Syniverse, a company that handles billions of text messages from cellular carriers, quietly admitted during its filing dated September 27th with the US Security and Exchange Commission that its database was hacked for 5 years.
The company became aware of the incident on May 1, 2021, and immediately conducted an investigation. The results of the investigation revealed that unauthorized access has been going on since May 2016.
Here’s an excerpt from its filing with the US SEC (Page 69):
For example, in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization (the “May 2021 Incident”). Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals. Syniverse has conducted a thorough investigation of the incident.
The results of the investigation revealed that the unauthorized access began in May 2016. Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers. All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance.
Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time.
Syniverse is responsible for routing billions of text messages every year and has “direct connections” to hundreds of mobile operators around the world. They provide services to major wireless carriers like AT&T, Verizon, T-Mobile, and other international carriers. More from Motherboard:
A former Syniverse employee who worked on the EDT systems told Motherboard that those systems have information on all types of call records.
Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.
“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other,” the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. “So it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers.”
“Syniverse has access to the communication of hundreds of millions, if not billions, of people around the world. A five-year breach of one of Syniverse’s main systems is a global privacy disaster,” Karsten Nohl, a security researcher who has studied global cellphone networks for a decade, told Motherboard in an email. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once.”
That means the recently discovered and years-long data breach could potentially affect millions—if not billions—of cellphone users, depending on what carriers were affected, according to an industry insider who asked to remain anonymous as he was not authorized to speak to the press.