The company that routes hundreds of billions of texts a year for 95 of the world's 100 biggest carriers now whispers it was hacked for five years.

Pádraig Belton, Contributor, Light Reading

October 6, 2021

4 Min Read
Syniverse quietly admits it was hacked for five years

Softly, softly is often the best way to admit something's gone epically wrong.

And so Syniverse, which routes hundreds of billions of text messages a year for hundreds of major carriers, has just quietly admitted that for five years a hacker had access to its databases.

The Florida-based company handles 740 billion text messages annually for carriers around the world including Vodafone, AT&T, T-Mobile, Verizon and China Mobile. Of the 100 largest carriers in the world, 95 – which also include América Móvil and China Unicom – are Syniverse customers.

Syniverse made the disclosure on page 69 of a lengthy September 27 filing with the US Securities and Exchange Commission (SEC). This May, said the company, it became aware that an "unknown individual or organization" had gained unauthorized access to its network "on several occasions," beginning in May 2016. Log-in information "was compromised for approximately 235 of its customers," says the company.

The impact may have been enormous: When Syniverse went down for a few seconds on February 14, 2019, more than 168,000 text messages were lost in transit until November.

Hackathon

Founded in 1987, Syniverse has eked out for itself a prominent position in stitching different mobile carriers' networks together to transmit data from one to another. It's unclear exactly what was compromised, which could have included either just metadata or the content of text messages too, including one-time passcodes to unlock two-factor-authentication-protected accounts.

And somewhat archly, the company says "we do not anticipate further public statements regarding this matter."

"End-to-end encryption is what improved the Internet's resilience to this type of hacking, and end-to-end encryption is what it will take for telephone networks to be secure," says Travis Biehn, security consultant at Synopsys Software Integrity Group, in an email to Light Reading. Until then, attackers will continue to target traffic exchanges and telephony providers around the world, he says.

What's perhaps most disturbing is that Syniverse's hack only came to light because it is about to merge with a public company.

Life hacks

Preparing for an initial public offering (IPO), Syniverse was required by the SEC to reveal risk factors for investors. The company said in August that it will merge with a special-purpose acquisition company memorably named M3-Brigade Acquisition II Corp before its IPO. It has valued itself at $2.85 billion.

Want to know more about 5G? Check out our dedicated 5G content channel here on Light Reading.

It's currently owned by the private-equity goliath the Carlyle Group, which took it private in 2011 for about $2.6 billion – not much less than its price tag a decade later. This may be partly because one of Syniverse's key areas is the technology behind mobile roaming. And that has been hit hard by years of regulation as well as the recent pandemic.

Accordingly, Syniverse has been trying to find more fertile fields to plough, such as the industrial Internet of Things and private 4G and 5G networks. In March, that led to a strategic partnership with Twilio, another SMS tech powerhouse which became a "significant minority owner" of Syniverse, after agreeing to make an equity investment of between $500 million and $750 million.

Twilio focuses on delivering texts through API interfaces, without a relationship with carriers. The Syniverse partnership was attractive because it brought access to the carrier world. Members of the wireless industry great and good who serve on the Syniverse board include the former FCC chair Julius Genachowski and former Verizon Wireless CEO Daniel Mead.

The company is so central in the SMS supply chain, and the hack went on for so long, that many experts are now speculating it may have been the work of a nation state or a highly organized cybercrime organization. But Syniverse has "concluded that no additional action, including any customer notification, is required at this time," it told the SEC.

So that's reassuring, at least.

Related posts:

— Padraig Belton, contributing editor, special to Light Reading

Read more about:

AsiaEurope

About the Author(s)

Pádraig Belton

Contributor, Light Reading

Contributor, Light Reading

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like