Syniverse provides “backbone services to wireless carriers like AT&T, Verizon, T-Mobile, and several others around the world.” It is a critical part of the global telecom infrastructure used by major providers like AT&T, T-Mobile, Verizon, as well as global companies such as Vodafone and China Mobile. The company quietly disclosed that the hackers had access to its systems for years. This impacted over 200 of Syniverse’s clients, potentially translating to millions of cellphone users worldwide.
Hackers Breached Syniverse for Over 5 Years
Syniverse serves as a common exchange hub for network carriers around the world. It processes over 740 billion text messages every year. According to its website, it has “direct connections” to more than 300 network carriers around the globe. The company passes billing information between network carriers. This role inevitably involves handling sensitive information such as call records, data usage records, and text messages. It is unclear exactly what type of information Syniverse handles. However, since Syniverse exchanges call records and other billing details, experts believe it could easily include personally identifying information. Syniverse revealed the breach to the SEC in a filing dated September 27, 2021. It told the commission that an unknown “individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers.” Karsten Nohl, a security researcher, said “Syniverse has access to the communication of hundreds of millions, if not billions, of people around the world. A five-year breach of one of Syniverse’s main systems is a global privacy disaster.” Nohl added that hacking Syniverse would provide indirect access to a variety of internet accounts. This includes accounts protected with SMS 2-factor authentication.
Syniverse’s Response
On the other hand, a former Syniverse employee believes that the damage could be more limited than expected. The employee — who asked not to be named –said that security breaches of this nature could be caused by laziness. While the incident is “extremely embarrassing,” it may not lead to significant damage, since the world has not seen anything come out of this over five years, they said. “Not saying nothing bad happened, but it sounds like nothing did happen,” the former employee added. Syniverse issued a statement in response to the incident. The company said it implemented its security incident response plan and engaged a top-tier forensics firm to assist with its internal investigation. Additionally, it notified and is cooperating with law enforcement. Furthermore, all EDT customers have had their credentials reset or deactivated, even if they were not affected by the incident. Syniverse added that it has communicated with its customers directly and concluded that no additional action is required. The company also said it has implemented “substantial additional measures to provide increased protection to our systems and customers.”
Washington on Alert
Meanwhile, Adrian Sanabria, a cybersecurity expert and founder of Security Weekly Labs, believes the hack could be a state-sponsored attack. “Can’t imagine [Syniverse] being a target for anyone else at that scale,” Sanabria said. Sen. Ron Wyden echoed this belief and raised questions about the company’s cybersecurity practices. “The FCC needs to get to the bottom of what happened, determine whether Syniverse’s cybersecurity practices were negligent, identify whether Syniverse’s competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry,” he said.