Text Messaging Routing Firm Syniverse Reveals 5-Year BreachSyniverse Routes Over 1 Trillion Messages Annually for AT&T, Verizon, Others
Telecommunications business Syniverse, which routes text messages for the vast majority of the world's mobile phone carriers, has disclosed that its systems were breached for five years.
The privately owned telecommunications service firm, based in Tampa, Florida, and valued at $2.85 billion, is set to go public by the end of the year. The company counts about 1,250 customers across almost 200 countries, including 95 of the top 100 mobile carriers in the world, such as AT&T Mobility, Verizon Wireless and T-Mobile USA.
"In May, Syniverse became aware of unauthorized access to its operational and IT systems by an unknown individual or organization," the company says in a filing to the U.S. Securities and Exchange Commission dated Sept. 27. "Promptly upon Syniverse's detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals. Syniverse has conducted a thorough investigation of the incident."
Syniverse says investigators found that hackers first gained access to its systems in May 2016. "Syniverse's investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its electronic data transfer ('EDT') environment was compromised for approximately 235 of its customers," the company reports. "All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance."
Syniverse serves in part as a back-end messaging provider, enabling different carriers to bridge their differing protocols to route messages between their networks - for example, from an AT&T subscriber to a T-Mobile one.
"Syniverse serves nearly every mobile network operator in the world and its solutions help carriers provide their customers with secure global connectivity and messaging," the company says in its filing. "Syniverse's carrier product groups consist of Global Network Services, Outsourced Carrier Solutions, and Messaging Solutions."
For messaging solutions, Syniverse delivers person-to-person text messages between carriers, via messaging hubs that it maintains both for itself and carriers. "Syniverse processes over 1 trillion messages through these hubs annually," the company says in its filing.
The breach could have serious security implications. "The information flowing through Syniverse's systems is espionage gold," says Sen. Ron Wyden, D-Ore., who says the industry should face mandatory cybersecurity standards.
The acting chairwoman of the Federal Communications Commission, Jessica Rosenworcel, has promised to investigate the breach.
A Syniverse spokesman tells Information Security Media Group that the company has put in place post-breach security improvements. "In addition to resetting customer credentials, we have implemented substantial additional measures to provide increased protection to our systems and customers," he says. "We will continue to communicate directly with our customers if needed."
Syniverse declined to comment on which 235 customers were affected, if financial or other personal information was exposed and if individual consumers will need to be informed - per U.S. states' data breach notification requirements or the EU's General Data Protection Regulation.
Another outstanding question that Syniverse declined to answer: How did the five-year breach eventually get discovered?
"It did continue for a remarkably long time, so I'd ask myself how that managed to persist," says Alan Woodward, a visiting professor of computer science at the University of Surrey. "And, more particularly, what was it that alerted the company to this incident?"
Syniverse's filing, while lacking such detail, does state that the "top tier" digital forensic investigators that it brought in "did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity." But an absence of such evidence is no guarantee that such activities have not already occurred, or that exfiltrated data might not be used for such purposes in the future, as well as for espionage or criminal purposes.
Syniverse says it doesn't expect to publicly release any more information about the breach. "Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter," the spokesman says.
News of the SEC filing and breach detailed therein was first reported by Vice.
A former Syniverse employee who worked on its electronic data transfer systems, as well as a separate telecommunications industry insider, collectively told Vice that the exposed information could have included call records, including metadata revealing the phone numbers of a message sender and recipient and their locations, as well as the length of calls and content of all text messages.
Syniverse says the text message metadata it handles also includes "device identification information," which of course can also be used to track individuals.
Woodward says that "it's not simply the messages which are of value here, but the metadata: It's not just espionage gold but it's ideal input for scammers and phishers, or more specifically smishers," aka those who do phishing via SMS.
"Smishing, particularly on smartphones where links sent in an SMS can be acted upon directly, is a really dangerous channel," Woodward tells ISMG. "Combine dangerous links with spoofed numbers or names and you can see how even the most cynical of us could fall for a scam sent by SMS."
In criminals' hands, more complex attacks could be constructed. "Imagine they have your name and other billing details, and SMS you about - say - your bank, using details that make you think it must be the bank as only they would have such details," he says. "Basically, a breach such as this exacerbates what is already a dangerous communications link."
'Global Privacy Disaster'
"A five-year breach of one of Syniverse's main systems is a global privacy disaster," German cryptography and mobile telephony security expert Karsten Nohl tells Vice.
"Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of internet accounts protected with SMS two-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once."
Details of the breach are contained in a proxy statement, dated Sept. 27, that was sent to stockholders of M3-Brigade Acquisition II Corp., and detailed in a Schedule 14A filing to the U.S. Securities and Exchange Commission. It follows Syniverse on Aug. 16 announcing plans to become a publicly traded company, by merging with M3-Brigade Acquisition II, which is a publicly traded company designed to acquire companies and by doing so, to take them public.
The merger values Syniverse at $2.85 billion. The transaction, which is expected to close before the end of the year, would see the publicly traded company renamed as Syniverse Technologies Corporation and listed on the New York Stock Exchange under ticker symbol "SYNV."
Under the terms of the deal, existing business partner Twilio, a San Francisco-based cloud-communications-platform-as-a-service company, will become a significant minority owner of Syniverse.
Risk: Exfiltrated Data
In its SEC filing, Syniverse warns its potential future stockholders that data exfiltrated in the attack could be used in the future.
"Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time," the company says in its filing.
"While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems" from the five-year breach, or a future breach, the company says in its filing.
"The release of any of this information could have a material adverse effect on Syniverse's business, reputation, financial condition and results of operations," it says.
Beyond the FCC promising to probe the breach, it remains to be seen if Syniverse will face any other investigations or potential lawsuits. But the company says in its filing that it continues to carry cyber insurance, which "it anticipates will cover a substantial portion of its expenditures in investigating and responding to this incident."