Security Experts:

Telecoms Giant Syniverse Discloses Years-Long Data Breach

Syniverse, a company whose connectivity services are used by nearly all mobile carriers in the world, said hackers had access to its information technology (IT) and operational technology (OT) systems for years.

Syniverse says it has roughly 1,250 customers across 200 countries, including a vast majority of the world’s mobile carriers, such as AT&T, Verizon, T-Mobile, Vodafone, China Mobile, Airtel, Telefónica, and América Móvil. The company’s services are used to connect the networks of different mobile carriers and enable the transmission of data. Syniverse says it enables billions of transactions, conversations and connections every day.

In a recent filing with the U.S. Securities and Exchange Commissions (SEC), the company admitted discovering a data breach in May 2021. An investigation revealed that an unknown threat actor had access to its OT and IT systems since May 2016.

“The results of the investigation revealed that the unauthorized access began in May 2016. Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers,” the company said in its SEC filing.

It added, “Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity. Syniverse did not experience and does not anticipate that these events will have any material impact on its day-to-day operations or services or its ability to access or process data. Syniverse has maintained, and currently maintains, cyber insurance that it anticipates will cover a substantial portion of its expenditures in investigating and responding to this incident.”

Based on Syniverse’s description of the attack, it sounds like the work of a state-sponsored threat actor. If that is the case, it’s possible that the attackers may have only targeted a relatively small number of individuals, even though they may have had access to the information of millions — possibly billions — of people who use the services of the 235 Syniverse customers that have been confirmed to be impacted.

Vice’s Motherboard was the first to notice the data breach mentioned in the SEC document, which Florida-based Syniverse filed ahead of becoming a publicly traded company via a merger with M3-Brigade Acquisition II Corp., a special purpose acquisition company.

Syniverse is not sharing additional information about the impact of the incident, but Motherboard learned from a source working for a mobile carrier that — depending on what was being exchanged in the compromised environment — the attacker may have gained access to call records and message data, such as call length and cost, the numbers and location of the caller and receiver, and the content of SMS messages.

UPDATE: Syniverse has provided SecurityWeek the following statement:

Syniverse became aware of unauthorized activity in our Electronic Data Transfer (EDT) environment in late May 2021. As soon as we learned of the unauthorized activity, we implemented our security incident response plan and engaged a top-tier forensics firm to assist with our internal investigation. We also notified and are cooperating with law enforcement. Syniverse has completed a thorough investigation of the incident which revealed that the individual or organization gained unauthorized access to databases within its network on several occasions and that login information allowing access to or from its EDT environment was compromised for certain customers.

All EDT customers have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. We have communicated directly with our customers regarding this matter and have concluded that no additional action is required. In addition to resetting customer credentials, we have implemented substantial additional measures to provide increased protection to our systems and customers.

We will continue to communicate directly with our customers if needed. Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter.

Related: T-Mobile Hack Involved Exposed Router, Specialized Tools and Brute Force Attacks

Related: China Slams US Plan to Expel Phone Carriers in Tech Clash

Related: Major U.S. Mobile Carriers Vulnerable to SIM Swapping Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.