Image: Matthew Horwood/Getty Images
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Seven U.S. citizens are suing Syniverse, a critical company in the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others, after the company discovered a data breach that lasted from 2016 until this year and that potentially exposed data of millions of users.
A group of three and another group of four cellphone users living across the U.S. filed two lawsuits against Syniverse, accusing it of being negligent in protecting their data, such as call records, call locations, and text messages. Both groups of plaintiffs argue that these lawsuits should be considered a class action including all individuals in the U.S. impacted by the Syniverse data breach.
In early October, Motherboard reported that Syniverse had quietly disclosed that hackers had penetrated its networks in May of 2016, and went undetected until May of this year. The company disclosed the data breach in a filing with the Securities and Exchange Commission as part of the process to go public.
The company did not detail exactly what data the hackers accessed, and declined multiple requests for comment asking about the specific extent of the breach. But cellphone networks experts, as well as former Syniverse employees said that the hackers could have accessed a breadth of highly sensitive data.
“Syniverse is among the most important telecom firms that nobody has heard of,” Jonathan Mayer, a professor at Princeton University and a former chief technologist at the Federal Communications Commission, told Motherboard in an email.
Do you work or used to work at Syniverse or another telecom provider? Do you have more information about the Syniverse breach? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire/Wickr @lorenzofb, or email firstname.lastname@example.org.
“Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once,” Karsten Nohl, a security researcher who has studied global cellphone networks for a decade, previously told Motherboard.
Both lawsuits, one filed on October 5 nd the other on October 7, accuse Syniverse of failing to secure sensitive personal data of millions of individuals, according to the complaints.
A Syniverse spokesperson declined to comment, arguing that the company does not “comment on pending litigation.”
In the second lawsuit the plaintiffs accused Syniverse of being careless in securing cellphone customers’ data, and failing to notify victims of the data breach.
“Syniverse could have prevented this Data Breach by properly securing and encrypting the [Personal Identifying Information] of Plaintiffs and Class Members,” the second complaint read. “Syniverse’s negligence in safeguarding Plaintiffs’ and Class Members’ PII is bewildering given the repeated warnings and alerts about the need to protect and secure sensitive data.”
“At all relevant times, Syniverse knew, or reasonably should have known, of the
importance of safeguarding the PII of Plaintiffs and Class Members,” the plaintiffs wrote in the second complaint.
The group complained that as a result of the breach they will have to monitor their personal and financial data, and may suffer injury or harm “including, but not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic losses,” as well as identity theft.
One lawsuit was filed by Melissa Baron, a T-Mobile customer; Olivia Enloe, a Verizon Customer; Marco Lerra, a T-Mobile and Verizon customer; and John Pels, an AT&T customer. The other was filed by Alexis Mullen, a Verizon customer; Nicholas Yeomelakis, an AT&T customer; and Thomas Mcnish, a T-Mobile customer.
Lawyers representing the seven plaintiffs did not immediately respond to a request for comment.
Syniverse provides services to 95 of the 100 biggest telecom providers in the world, including the three major U.S. ones, as well as international giants such as Vodafone, China Mobile, and Telefonica. Syniverse routes text messages between different providers, and manages customers roaming outside of their countries and using different networks from their own. Because of this, the company has access to text messages content, as well as cellphone metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call.
“In a nutshell, Syniverse may be the most important company you’ve never heard of,” Syniverse CEO Andrew Davis said in a conference call on August 17, according to a transcript of the call filed with the SEC. “We are the trusted neutral intermediary and central nervous system that keeps devices, data traffic and messages flowing seamlessly and securely across the globe.”