Company That Handles Billions Of Text Messages Quietly Admits It Was Hacked Years Ago

from the whoops-a-daisy dept

We’ve noted for a long time that the wireless industry is prone to being fairly lax on security and consumer privacy. One example is the recent rabbit hole of a scandal related to the industry’s treatment of user location data, which carriers have long sold to a wide array of middlemen without much thought as to how this data could be (and routinely is) abused. Another example is the industry’s refusal to address the longstanding flaws in Signaling System 7 (SS7, or Common Channel Signaling System 7 in the US), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations.

Now this week, a wireless industry middleman that handles billions of texts every year has acknowledged its security isn’t much to write home about either. A company by the name of Syniverse revealed that it was the target of a major attack in a September SEC filing, first noted by Motherboard. The filing reveals that an “individual or organization” gained unauthorized access to the company’s databases “on several occasions.” That in turn provided the intruder repeated access to the company’s Electronic Data Transfer (EDT) environment compromising 235 of its corporate telecom clients.

The scope of the potentially revealed data is, well, massive:

“Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.”

Amazingly enough the hack began in 2016 but was only discovered this year. How much data was accessed? Why did it take so long? Was it a Chinese or Russian sponsored attack? Why was there absolutely no transparency about the breach until now? Why aren’t Syniverse or any wireless carriers being clear about what happened? Have government officials been compromised? Have those officials been notified by anybody? Good questions!:

“The information flowing through Syniverse?s systems is espionage gold,” Sen. Ron Wyden told Motherboard in an emailed statement. “That this breach went undiscovered for five years raises serious questions about Syniverse?s cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse’s cybersecurity practices were negligent, identify whether Syniverse’s competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry.”

Between this and the SS7 flaw alone you have to inherently assume that most global wireless communications has been significantly compromised for a long while in some fashion. And like most hacks, the scale of this will only get worse as time goes by. Security and privacy at massive international scale isn’t easy, but these kinds of repeated scandals don’t have to happen. They’re made immeasurably worse by our lack of even a basic internet-era privacy law, intentionally underfunded and understaffed U.S. privacy regulators, and our failure to hold companies accountable in any meaningful way for repeated and massive screw ups. Mostly because doing any of these things might put a dent in quarterly revenues.

Filed Under: , , , , ,
Companies: syniverse

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Company That Handles Billions Of Text Messages Quietly Admits It Was Hacked Years Ago”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

It’s pretty sad that the telcos don’t seem to be doing anything (useful) lately, and are just outsourcing. For about a century they were at the forefront of technical development (having invented the transistor, the laser, the photovoltaic cell, UNIX, …), and now they need someone to help them send 160 characters from one place to another?

ECA (profile) says:

Long time no tell

Its been shown over many years that All and every system in the USA has backdoors.
From the old black boxes used to freak the phone system, to the Backbone. The USA gov has always placed back doors into our systems, for their Own use. And some to monitor whats going on.
Even our phone ID system has Created holes in it, if you know HOw they work.

PaulT (profile) says:

"How much data was accessed?"

Given that SMS is commonly used by so many places as the default 2FA option to secure pretty much any kind of sensitive account, that’s a hell of a question…

The admission seems to imply that the access was only metadata and not control of the messages themselves, but there’s no way a company that took this long to report can be trusted on that kind of factual information,

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...