Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.
“Syniverse has access to the communication of hundreds of millions, if not billions, of people around the world. A five-year breach of one of Syniverse’s main systems is a global privacy disaster,” Karsten Nohl, a security researcher who has studied global cellphone networks for a decade, told Motherboard in an email. “Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of Internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once.”
A failure of security with potentially staggering consequences for years to come. Syniverse did not disclose any of this publicly, and was apparently closed in May 2021. It was only revealed in an SEC filing last week as the company prepares to go public. This breach occurred under its current ownership by the Carlyle Group, a private equity firm.
Great reporting from Franceschi-Bicchierai, and a cowardly response from Syniverse.
Update: I recommend reading Matt Stoller’s piece, which you may remember from earlier this year, about how private equity’s financialization of industries squeezes their contingency planning in favour of easier profits.