5-Year Data Hack Disclosed by SMS Giant Syniverse

Syniverse, who describe themselves as ‘the world’s most connected company’ with a network that ‘reaches almost every person and device on Earth’ has revealed hackers obtained unauthorized access to their systems over a 5-year period, reports Vice. Syniverse disclosed the hack in a filing to the US Stock Exchange Commission (SEC):

…in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization (the “May 2021 Incident”). Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals. Syniverse has conducted a thorough investigation of the incident.

The results of the investigation revealed that the unauthorized access began in May 2016. Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers. All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance.

To put the potential scale of the breach into perspective, it is worth noting that Syniverse handles over 740 billion SMS messages a year, and has over 300 mobile operators as customers. These customers include many of the world’s biggest telcos, such as America Movil, AT&T, China Mobile, China Unicom, Verizon and Vodafone Group. The disclosure made no mention of whether the hackers had visibility of the contents of the SMS messages that Syniverse handles for its customers, nor of the other sensitive data it processes, which includes records of calls and amounts billed.

Syniverse has so far rebuffed any questions about the breach put to them by journalists. The SEC filing gives readers the distinct impression that Syniverse will not share any more information unless legally compelled to.

Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time.

The disclosure claimed the hacker’s intrusion had no financial implications. If true, this suggests the hacker was likely to be working for a nation state. It is unclear how Syniverse knows there were no financial consequences when so many SMS messages are now used to transmit one time passwords.

Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity. Syniverse did not experience and does not anticipate that these events will have any material impact on its day-to-day operations or services or its ability to access or process data. Syniverse has maintained, and currently maintains, cyber insurance that it anticipates will cover a substantial portion of its expenditures in investigating and responding to this incident.

I would like to be working for Syniverse’s insurers right now. Apparently they will cover the cost of an ‘incident’ that lasted five full years but which affected nobody and caused no financial losses! My guess is that Syniverse’s insurance claim will assert the hack was much more serious than their SEC disclosure admits.

Syniverse’s ‘thorough’ investigation was not so thorough that they decided against protecting themselves from the further legal liabilities they could potentially incur if they pretended that all the relevant bad news has already been discovered and disclosed.

While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences. Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business. The release of any of this information could have a material adverse effect on Syniverse’s business, reputation, financial condition and results of operations.

US Senator Ron Wyden was rightly critical of Syniverse in a statement he provided to Vice. Wyden is the most active US politician when it comes to protecting the privacy of phone users.

The information flowing through Syniverse’s systems is espionage gold… That this breach went undiscovered for five years raises serious questions about Syniverse’s cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse’s cybersecurity practices were negligent, identify whether Syniverse’s competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry.

Syniverse has a huge sales and marketing budget which they use to continuously chase mobile operators for more business. Much of this is spent on schmoozing telco managers at a litany of events across the globe, though I bear something of a grudge against Syniverse after catching one of their sales agents attempting to sneak free entry into one of my conferences. They spend a lot on promoting their messaging and security services but the significance of their business is not appreciated by the average phone user. This is why Syniverse can choose to be uncooperative with the press despite suffering a 5-year data breach of potentially great importance for the privacy of people and businesses worldwide.

When asked by journalists if any personal data had been compromised, Syniverse refused to give an answer. You may want to draw your own conclusions about why the world’s most connected company is so unwilling to talk. Operators whose brands are recognized by ordinary people cannot expect to hide when they suffer a data breach. It does not suit the long-term interest of those telcos to allow Syniverse to play down their responsibilities to all of us.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.