A major telecoms service provider has revealed it was the victim of a five-year breach impacting hundreds of customers.
Syniverse routes text messages for hundreds of global telco customers — allowing it to boast of reaching “more people and devices than anyone on Earth.”
However, in a filing with the SEC last week ahead of the firm going public via a merger with a special purpose acquisition company (SPAC), it admitted discovering a major incident back in May.
The unauthorized access to its operational and IT systems was subsequently found to have been ongoing since May 2016.
“Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers,” it continued.
“All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance.”
Although the firm claimed it has seen no efforts to disrupt operations or monetize the attack, it could not rule out further discoveries.
“While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences,” it said.
“Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.”
It's unclear exactly what information the attackers would have gained access to with the EDT compromise, but it could theoretically include metadata or even the content of text messages, including one-time passcodes, which could unlock two-factor authentication-protected accounts.
The firm claims to process over 740 billion messages every year for 300+ global mobile operators.
An audacious supply chain raid like this bears the hallmarks of nation-state intelligence gathering or a highly organized cybercrime group.