Unauthorized User Access Blamed on Syniverse Hack
Author: Joakim Thorén, Founder and CEO
Previous << Thales Cloud Security Summit
You may be blissfully unaware of a company called Syniverse. Most of us were, too, until last month when a company document revealed a 5-year login hack of its databases.
The news came about in a routine (US) Securities and Exchange Commission filing as a precursor to Syniverse potentially becoming a publicly traded firm. As is required in this type of SEC filing, Syniverse disclosed potential risk factors for investors that included a hack of data from 235 of the world’s telecom carriers.
Databases are hacked daily -- it’s true -- but they rarely have the potential impact of this one. The company acts as the routing arm for text messages from customers of carriers like Verizon, AT&T, T-Mobile and about 297 others. In all, the hack impacted more than 75 percent of Syniverse’s customer base. That means the impact could extend to every customer of those carriers who sent SMS messages in the last half decade.
Hundreds of billions of text messages flow through these companies annually. In fact, Syniverse says its services process more than 740 billion messages each year for its carrier customers. To date, there have not been reports that hackers gained access to the actual text messages or other customer data, which may be the best possible outcome of the hack.
Not surprisingly, the “individual or organization” gained unauthorized access to Syniverse’s networks a variety of times over the 5-year-period, the company said in its statement, and that “login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised” for those 235 customers. As part of its remediation efforts, Syniverse either deactivated or reset the credentials for all its EDT customers.
From my perspective, there are three things that are surprising about all of this. One is that one company is a single point of exposure for the potentially billions of people who send text messages. Second is that the hack went unnoticed there until five years after it began in May 2016. The third is that this should not have happened: companies like ours provide the tools that can make hacks like this far less prevalent or damaging.
Since the breach was discovered earlier this year, Syniverse says it’s taken the proper remediation steps – including notifying law enforcement and hiring specialists to help combat the crime. It says it has put in increased protection measures for its IT systems, too. For now, the company says there have been no known attempts to misuse the hacked data but said in the SEC filing that it cannot entirely rule out the possibility.
Enterprises like being in the headlines for all the remarkable things they do. Don’t let your headlines be about having your data breached. Talk with a Versasec expert today by contacting us here.