Company that routes SMS for all major US carriers was hacked for five years

Getty Images | d3sign

Syniverse, an organization that routes a whole lot of billions of textual content messages yearly for a whole lot of carriers together with Verizon, T-Mobile, and AT&T, revealed to authorities regulators that a hacker gained unauthorized entry to its databases for five years. Syniverse and carriers haven’t mentioned whether or not the hacker had entry to prospects’ textual content messages.

A filing with the Securities and Exchange Commission final week mentioned that “in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals.”

Syniverse mentioned that its “investigation revealed that the unauthorized access began in May 2016” and “that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (‘EDT’) environment was compromised for approximately 235 of its customers.”

Syniverse isn’t revealing extra particulars

When contacted by Ars immediately, a Syniverse spokesperson supplied a basic assertion that principally repeats what’s within the SEC submitting. Syniverse declined to reply our particular questions on whether or not textual content messages had been uncovered and concerning the affect on the major US carriers.

“Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter,” Syniverse mentioned.

The SEC submitting is a preliminary proxy assertion associated to a pending merger with a particular goal acquisition firm that will make Syniverse a publicly traded agency. (The doc was filed by M3-Brigade Acquisition II Corp., the blank-check firm.) As is commonplace with SEC filings, the doc discusses danger elements for traders, on this case together with the security-related danger elements demonstrated by the Syniverse database hack.

Syniverse routes messages for 300 operators

Syniverse says its intercarrier messaging service processes over 740 billion messages every year for over 300 cellular operators worldwide. Though Syniverse probably is not a well-recognized title to most cellphone customers, the corporate performs a key position in guaranteeing that textual content messages get to their vacation spot.

We requested AT&T, Verizon, and T-Mobile immediately whether or not the hacker had entry to individuals’s textual content messages, and we are going to replace this text if we get any new data.

Syniverse’s significance in SMS was highlighted in November 2019 when a server failure brought on over 168,000 messages to be delivered nearly nine months late. The messages had been in a queue and left undelivered when a server failed on February 14, 2019, and at last reached their recipients in November when the server was reactivated.

Syniverse says it mounted vulnerabilities

Syniverse mentioned within the SEC submitting and its assertion to Ars that it reset or deactivated the credentials of all EDT prospects, “even if their credentials were not impacted by the incident.”

“Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time,” the SEC submitting mentioned. Syniverse advised us that it additionally “implemented substantial additional measures to provide increased protection to our systems and customers” in response to the incident, however didn’t say what these measures are.

Syniverse is seemingly assured that it has every little thing underneath management however advised the SEC that it may nonetheless uncover extra issues ensuing from the breach:

Syniverse didn’t observe any proof of intent to disrupt its operations or these of its prospects and there was no try and monetize the unauthorized exercise… While Syniverse believes it has recognized and adequately remediated the vulnerabilities that led to the incidents described above, there might be no assure that Syniverse won’t uncover proof of exfiltration or misuse of its knowledge or IT methods from the May 2021 Incident, or that it won’t expertise a future cyber-attack resulting in such penalties. Any such exfiltration may result in the general public disclosure or misappropriation of buyer knowledge, Syniverse’s commerce secrets and techniques or different mental property, private data of its workers, delicate data of its prospects, suppliers and distributors, or materials monetary and different data associated to its business.

Syniverse’s SEC submitting was submitted on September 27 and mentioned yesterday in an article in Vice’s Motherboard section. According to Vice, a “former Syniverse employee who worked on the EDT systems” mentioned these methods include data on all sorts of name data. Vice additionally quoted an worker of a telephone firm who mentioned that a hacker may have gained entry to the contents of SMS textual content messages.

Vice wrote:

Syniverse repeatedly declined to reply particular questions from Motherboard concerning the scale of the breach and what particular knowledge was affected, however in keeping with an individual who works at a phone service, whoever hacked Syniverse may have had entry to metadata reminiscent of size and value, caller and receiver’s numbers, the situation of the events within the name, in addition to the content material of SMS textual content messages.

“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other,” the supply, who requested to stay nameless as they weren’t approved to speak to the press, advised Motherboard. “So it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers.”

Source link