Syniverse, a telecom company that helps carriers like Verizon, T-Mobile, and AT&T route messages between each other and other carriers abroad, disclosed last week that it was the subject of a possible five year long hack. If the name Syniverse sounds familiar, the company was also responsible for the disappearance of a swath of Valentine’s Day text messages in 2019.
The hack in question was brought to light in a Securities and Exchange Commission filing Syniverse published last week. In it, Syniverse shares that in May 2021 it “became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization.” The company did its due diligence notifying law enforcement and conducting an internal investigation, resulting in the discovery that the security breach first started in May 2016. That’s five years of (possibly) unfettered access.
The hackers “gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers,” the filing reads. That could include access to call records, and metadata like phone numbers, locations, and the content of text messages, according to Motherboard’s sources.
Syniverse’s SEC filing says the company notified anyone caught up in the breach, and reset credentials were appropriate. Additionally, “Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity,” the filing states. Syniverse provided The Verge with a statement that reiterated what the company told the SEC: the company has addressed the issue and “will continue to communicate directly with [its] customers if needed.”
Verizon and AT&T did not immediately respond to a request for comment from The Verge. T-Mobile told both Ars Technica and The Verge that it was “aware of a security incident” with Syniverse but there is “no indication that any personal information, call record details or text message content of T-Mobile customers were impacted.”
Syniverse’s security breach was revealed as the company is trying to go public through a merger with a special purpose acquisition company (SPAC), but it seems like it was a target in the first place because of the company’s size. Syniverse has spent the last decade becoming a quasi-gatekeeper for multiple US carriers through acquisitions, The Verge’s earlier reporting found. Size matters in business, but as with the SolarWinds hack, it matters even more when something goes wrong.