Global Telecom Company Syniverse Reveals Five-year Breach
According to Syniverse, the Incident Impacted Over 230 of Its Customers and Potentially Millions of Other Mobile Users.
Last week, Syniverse, an international organization that provides technology and business services for several telecommunications companies, has confirmed it had suffered a massive attack that exposed billions of text messages and hundreds of customer login credentials for years.
The telecommunication giant processes around 740 billion text messages every year, and some of its customers include major companies such as AT&T, Verizon, and T-Mobile.
According to the company, its client list counts the majority of mobile communications providers, important international banks, and tech organizations.
Who Was Impacted?
Journalists at Vice noticed first that on September 27th, a breach was disclosed in a filing with the U.S. Securities and Exchange Commission (SEC). The company advised that an “individual or organization gained unauthorized access to databases within its network”, compromising a system accessed by over 230 users.
Following the discovery, the telecommunication company started an internal investigation in order to determine the scope of the attack. The investigation showed that that unauthorized access to the company’s system has been ongoing since May 2016. The intrusions went undetected until May 2021.
All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance.
What Data Was Accessed?
According to Syniverse, its investigation didn’t reveal any intention to damage operations or make a profit from the attack. However, the likelihood of data exfiltration is not ruled out by the company and it could seriously affect its business, staff, clients, suppliers, and vendors. In addition, it could result in future cyberattacks.
The types of accessed data could include details of a call or message, phone numbers, locations, and the content of an SMS. A former Syniverse employee said that as an usual exchange pivot for carriers, “it inevitably carries sensitive info like call records, data usage records, text messages, etc.”
Apple Users Protected
At least, Apple users are safe as the iMessage service use end-to-end encryption. However, if the recipient isn’t registered with Apple, they receive a normal text message, hence isn’t as protected.
Cybersecurity specialists say that because of the organization’s size, the five-year-long breach may have exposed billions of individuals worldwide. Security expert Karsten Nohl called the incident “a global privacy disaster.”
Senator Ron Wyden of Oregon declared:
That this breach went undiscovered for five years raises serious questions about Syniverse’s cybersecurity practices.
The FCC needs to get to the bottom of what happened, determine whether Syniverse’s cybersecurity practices were negligent, identify whether Syniverse’s competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry.