Ride the Lightning

Hacked for Five Years: The Company That Routes SMS for All Major U.S. Carriers

October 7, 2021

Ars Technica reported on October 5 that Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers, including Verizon, T-Mobile and AT&T, told government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and the carriers have not said whether the hacker had access to customers’ text messages.

What a story, eh?

A filing with the Securities and Exchange Commission said that “in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals.”

Syniverse said that its “investigation revealed that the unauthorized access began in May 2016” and “that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (‘EDT’) environment was compromised for approximately 235 of its customers.”

That was all that Syniverse revealed.

Syniverse isn’t revealing more details.

When contacted by Ars Technica, a Syniverse spokesperson basically repeated the contents of the SEC filing and declined to answer specific questions about whether text messages were exposed and about the impact on the major US carriers.

“Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter,” Syniverse said.

The SEC filing is a preliminary proxy statement related to a pending merger with a special-purpose acquisition company that will make Syniverse a publicly traded firm. (The document was filed by M3-Brigade Acquisition II Corp., the blank-check company.) As is standard with SEC filings, the document discusses risk factors for investors, which in this case included the security-related risk factors demonstrated by the Syniverse database hack.

 Syniverse has said that its intercarrier messaging service processes over 740 billion messages each year for over 300 mobile operators worldwide. Though Syniverse likely isn’t a familiar name to most cell phone users (I had never heard of it), the company plays a pivotal role getting text messages to their destination.

Ars Technica asked AT&T, Verizon, and T-Mobile whether the hacker had access to people’s text messages.

T-Mobile provided Ars a statement saying that it has “no indication” that text messages or other types of personal information were exposed. “We are aware of a security incident involving one of [our] third-party vendors, Syniverse. They provide reconciliation services for payments made between carriers. The breach impacted numerous carriers, including T-Mobile, however we have no indication that any personal information, call record details or text message content of T-Mobile customers were impacted. We will continue to investigate and work with Syniverse to close any vulnerabilities identified,” T-Mobile said.

Syniverse said in the SEC filing and its statement to Ars Technica that it reset or deactivated the credentials of all EDT customers, “even if their credentials were not impacted by the incident.”

“Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time,” the SEC filing said. Syniverse told Ars Technica that it also “implemented substantial additional measures to provide increased protection to our systems and customers” in response to the incident but did not identify those measures.

Syniverse appears confident that it has everything under control but told the SEC that it could still discover more problems resulting from the breach, saying “Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity.  While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences. Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.”

Syniverse’s SEC filing was submitted on September 27.   According to a post by Vice, a “former Syniverse employee who worked on the EDT systems” said those systems contain information on all types of call records. Vice also quoted an employee of a phone company who said that a hacker could have gained access to the contents of SMS text messages.

Vice wrote:

“Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.

“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other,” the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. “So it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers.”

So there you have it. What a mess. Syniverse could not possibly have thought that its quiet revelation of the breach in the SEC filing would stay quiet for long. Five years’ worth of SMS messages. Holy cow!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson