SMS Routing Company Discloses a Five-Year-Long Data Breach

  • Last updated October 8, 2021
  • written by
    Editor

A popular telecom company, Syniverse, disclosed to the Securities and Exchange Commission that hackers had access to their systems for over five years, which resulted in the compromise of millions of login credentials, data, and text messages belonging to their customers.

Mind you, Syniverse provides SMS routing services to reputable carriers like Verizon, AT&T, Vodafone, T-Mobile, China Mobile, and more. As per the company’s official website, it processes 740+ billion messages annually.

syniverse-presentation-deck

Image Credits: Syniverse

According to last week’s published filing of the Securities and Exchange Commission, Syniverse discovered unauthorized access to its “operational and information technology systems by an unknown individual or organization…. allowing access to or from its Electronic Data Transfer (EDT) environment.”

The telecom giant became aware of the situation in May 2021 and started an internal investigation. “The results of the investigation revealed that the unauthorized access began in May 2016,” disclosed the company in the filing.

AT&T and Verizon didn’t respond to the request for comment immediately. However, T-Mobile, in its statement to Ars Technica, declared that there is “no indication that any personal information, call record details or text message content of T-Mobile customers was impacted.” At the same time, they were aware of a security mishap with the telecom giant.

Karsten Nohl, a security researcher, commented at the data breach disclosure that Syniverse has firsthand access to all its users’ and clients’ phone call records and text messages, as well as indirect access to a wide range of SMS 2FA protected internet accounts.

Senator Ron Wyden, in his email statement, said:

“The information flowing through Syniverse’s systems is espionage gold,”

He further mentioned:

“That this breach went undiscovered for five years raises serious questions about Syniverse’s cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse’s cybersecurity practices were negligent, identify whether Syniverse’s competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry.”

Furthermore, the FBI and FCC did not respond immediately when requested to comment, while CISA declined the request. 

Well, this isn’t the first time that mobile network operators have been victims of a data breach incident. Around two months ago, AT&T’s database was breached, resulting in a data leak of 70 million customers, sold at a minimum cost of $200k.

In the same month, hackers stole data of T-Mobile’s over 100 million users, later taking responsibility for the attack and mentioning that the network operator has awful security.


Leave a Reply

Your email address will not be published. Required fields are marked *