Syniverse quietly reveals 5-year data breach

Syniverse, which bills itself as the “world’s most connected company,” disclosed in a September 27 SEC filing that it was the target of a security breach.  

Syniverse supplies messaging services for AT&T, T-Mobile and Verizon, as well as other carriers around the world. Vice reported on the hack yesterday.

The SEC filing is tied to Syniverse’s merger agreement with M3-Brigade Acquisition II Corp., a publicly traded special purpose acquisition company (SPAC), that will result in Syniverse becoming a publicly traded company. The transaction implies an initial enterprise value for Syniverse of $2.85 billion.

RELATED: Syniverse and AlefEdge partner for 5G edge

In the SEC filing, Syniverse said that in May of 2021, it became aware of unauthorized access to its informational technical systems by “an unknown individual or organization.” The investigation revealed that the unauthorized access began in May 2016 and that someone gained access to databases within its network on several occasions. Login information allowing access to and from its Electronic Data Transfer (EDT) environment was compromised for about 235 of its customers.

Syniverse said all affected customers were notified where contractually required and that it concluded no additional action was necessary. Law enforcement officials were notified. The company expects its cyber insurance will cover a substantial portion of its expenses in investigating and responding to the incident.

“Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity,” the company said in the SEC filing. “Syniverse did not experience and does not anticipate that these events will have any material impact on its day-to-day operations or services or its ability to access or process data.”

Citing “a person who works at a telephone carrier,” Vice was told that whoever hacked Syniverse could have had access to metadata, such as length and cost, caller and receiver’s numbers, the location of the parities in the call and the content of SMS text messages.  

RELATED: Syniverse gets its own private LTE network using CBRS

Syniverse did not immediately respond to questions from Fierce but sent a statement that read in part: “All EDT customers have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. We have communicated directly with our customers regarding this matter and have concluded that no additional action is required."

In addition to resetting customer credentials, “we have implemented substantial additional measures to provide increased protection to our systems and customers. We will continue to communicate directly with our customers if needed. Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter,” the statement concluded. 

Syniverse, whose board consists of wireless industry veterans, including former Verizon executive Dan Mead and former FCC Chairman Julius Genachowski, provides services that deliver more than 370 billion annual transactions. Among the services it provides are signaling solutions that authenticate the identity of end-users while roaming and authorize the appropriate level of service in a visited network.