In a Securities and Exchange Commission filing that was published last week, Syniverse disclosed that it learned in May about “unauthorized access to its operational and information technology systems by an unknown individual or organization.” Syniverse routes billions of text messages each year.
Although the firm says it notified law enforcement and carried out an internal investigation, they did not publicize the hacking, which they determined started in May of 2016. Therefore, hackers may have had unlimited access to people’s text messages for the last five years.
According to the filing, the hackers got into databases within its network and were able to access its Electronic Data Transfer (EDT) environment. This means they may have accessed call records along with metadata such as the phone numbers, content and locations of texts.
Syniverse claims that they haven’t seen any signs of an intent to disrupt their operations or monetize the breach, but it’s difficult to believe that the hackers had no motivation for such a lengthy attack. Some observers believe that a true lack of attempted monetization may indicate a government intelligence agency was behind the breach.
They disclosed the breach as part of a preliminary proxy statement for a pending merger that will see them become a publicly traded firm; the incident was listed as a risk factor for investors.
Many cell phone users are not familiar with the name Syniverse, even though they rely on them every day to ensure their text messages reach their intended destination. They did make headlines in 2019, however, when a server failure caused more than 168,000 messages sent on Valentine’s Day in February to get stuck in a queue and go undelivered until nine months later, in November, due to a server failure.
In its SEC filing, Syniverse said that it had reset or deactivated all of its EDT customers’ credentials to address the breach, even those who were not impacted directly by the incident. They said they determined that no further action, such as customer notification, is needed right now.
However, they admitted to the SEC that problems stemming from the breach could emerge in the future.
"While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences,” their filing stated.
They also believe that people’s personal and sensitive information could still be at risk. The statement continued: “Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse's trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business."
An anonymous source at one of the affected telephone carriers told Vice that they believe the hackers could have accessed the text messages’ content, the phone numbers of the senders and receivers, and other data.
It’s not just the privacy aspect and the prospect of the public reading personal text messages that is so concerning here; many banks use SMS to send codes for two-factor authentication when people are attempting to log into their bank account. This breach may have been shocking in how long it was able to go on unchecked, but it's not too surprising that an SMS router was a target. As long as people continue to transmit sensitive data online, hackers will find ways to get their hands on it.
Sources for this article include: