TL;DR: A Secret Service takedown uncovered a SIM farm with 300 SIM servers, over 100,000 active SIM cards, and infrastructure capable of sending 30 million text messages per minute, according to SecurityScorecard’s reporting on the CBS News New York segment. The case shows how telecommunications abuse can create emergency-communications risk that security and resilience teams cannot ignore.
NHIMG editorial — based on content published by SecurityScorecard: SecurityScorecard’s CISO joins CBS News New York to share insights on the Secret Service takedown
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: What breaks when large telecom asset pools are not tightly governed?
A: When a large pool of SIMs or communication devices can be activated at once, attackers can generate enough traffic to saturate networks, delay calls, and disrupt emergency coordination.
Q: Why do pooled telecom identities increase operational risk?
A: Because the risk scales with coordinated activation, not with a single device.
Q: How can security teams measure whether telecom abuse controls are working?
A: Track whether abnormal SMS or call volume is detected before service degradation, whether every high-volume asset has an owner, and whether shutdown actions can be executed quickly.
Practitioner guidance
- Inventory remotely controlled telecom assets Build a complete register of SIM servers, modems, phone banks, and any remote orchestration endpoints, then assign an accountable owner for each cluster.
- Set volume thresholds for abuse detection Define alerting for SMS, call, and registration rates that exceed normal operational baselines, and tie those alerts to incident response playbooks.
- Test emergency-communications failure scenarios Run exercises that assume cell congestion or mass SMS flooding during a major event, and validate fallback voice, radio, and coordination paths.
What's in the full analysis
SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:
- The CBS News New York segment context and SecurityScorecard CISO commentary that frame the incident for public audiences.
- The investigation timeline and how federal agents linked the telecom threat to the New York tri-state area.
- The scale details of the SIM farm and the specific disruption scenarios discussed on air.
- The broader incident response and third-party risk framing used by SecurityScorecard's STRIKE team.
👉 Read SecurityScorecard's coverage of the Secret Service takedown and telecom disruption risk →
SIM farm disruption in New York: what it means for resilience teams?
Explore further
Telecom abuse is a pooled-identity problem, not just a network problem. When one operator can coordinate hundreds of servers and more than 100,000 active SIM cards, the real governance issue is how many identities and devices can be triggered together. That is structurally similar to unmanaged NHI sprawl in enterprise environments, where scale creates blast radius faster than individual controls can respond. Practitioners should assess pooled identity risk as an operational resilience issue.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when telecom saturation threatens emergency communications?
A: Accountability should sit with the owners of the infrastructure, the operators who can activate it, and the resilience function that tests the failure scenario. If third parties can provision the assets, contractual offboarding and emergency disablement rights also need clear responsibility.
👉 Read our full editorial: SIM farm disruption in New York shows telecom risk at scale