AVL Blog - Communications Law & Technology

View Original

Syniverse Was Victim Of Ongoing Breach That Began In May 2016

October 4, 2021 – According to a recent U.S. Securities and Exchange Commission filing, Global telecommunications and technology company Syniverse was the victim of an ongoing breach that began in May 2016.

According to the SEC filing, Syniverse discovered the breach in May 2021, and after an investigation, determined an “individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer...environment was compromised for approximately 235 of its customers.”[1] That means someone was inside Syniverse’s systems for five years. Undetected. For five years.

Information about the breach was disclosed on a Schedule 14A, preliminary proxy statement, filed with the SEC by M3-Brigade Acquisition II Corp.

Motherboard reported that whoever gained entry to the Syniverse databases would have been able to access a significant amount of metadata and private information:

A former Syniverse employee who worked on the EDT systems told Motherboard that those systems have information on all types of call records. 

Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.[2]

The following is the summary of the Syniverse breach contained in the SEC filing:

For example, in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization (the “May 2021 Incident”). Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals. Syniverse has conducted a thorough investigation of the incident.

The results of the investigation revealed that the unauthorized access began in May 2016. Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers. All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance.

Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time.

Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity. Syniverse did not experience and does not anticipate that these events will have any material impact on its day-to-day operations or services or its ability to access or process data. Syniverse has maintained, and currently maintains, cyber insurance that it anticipates will cover a substantial portion of its expenditures in investigating and responding to this incident.

While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences. Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business. The release of any of this information could have a material adverse effect on Syniverse’s business, reputation, financial condition and results of operations.

Syniverse expends significant resources to protect against such threats and may be required to further expend resources to alleviate problems caused by physical, electronic, and cybersecurity breaches. Regardless of Syniverse’s expenditures and protective efforts, Syniverse may not be able to implement security measures in a sufficiently timely manner or, if implemented, these measures could be circumvented and Syniverse may fail to detect and/or respond to security breaches in a timely manner. Despite Syniverse’s security measures, its IT systems and infrastructure or those of third parties on which it relies may still be vulnerable to such cyber incidents. The results of these incidents could include, but are not limited to, disrupted operations, increased risks of lawsuits, misstated or misappropriated financial data, theft of Syniverse’s intellectual property or other confidential information (including of Syniverse’s customers, suppliers, vendors and employees), liability for stolen assets or information, increased cybersecurity protection costs, including costs related to maintaining cyber insurance, and reputational damage adversely affecting customer or investor confidence. In addition, if any information about Syniverse’s customers, including payment information or personal data, were the subject of or misappropriated in a successful cybersecurity attack against Syniverse, Syniverse could be subject to investigations and litigation or other claims by the affected customers and data protection regulators in multiple jurisdictions. Furthermore, if a high-profile security breach or cyberattack occurs affecting another provider of mission-critical mobile communications services, Syniverse’s customers, suppliers, vendors and prospective customers, suppliers and vendors may lose confidence in the security of these business models generally, which could harm Syniverse’s reputation and brand image. If Syniverse’s services are perceived as not being secure, Syniverse’s overall strategy to be a leading provider of technology solutions to the wireless ecosystem may be adversely impacted.

**********

[1] M3-Brigade Acquisition II Corp., Schedule 14A, Proxy Statement Pursuant to Section 14(a) of the Securities Exchange Act of 1934, U.S. Securities And Exchange Commission, pp. 69-70 (Sep. 27, 2021 ), https://www.sec.gov/Archives/edgar/data/1839175/000119312521284329/d234831dprem14a.htm.

[2] Company That Routes Billions of Text Messages Quietly Says It Was Hacked, Lorenzo Franceschi-Bicchierai, Vice Motherboard (Oct. 4, 2021), https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked.