AT&T and Verizon reportedly are not notifying most customers whose call records were stolen in the ongoing attack attributed to Chinese hacking group Salt Typhoon. NBC News reported today that "the vast majority of people whose call records have been stolen by Chinese hackers have not been notified, according to industry sources, and there is no indication that most affected people will be notified in the near future."
US government officials said last week that major telecom companies have been unable to fully evict the Chinese state-sponsored hackers from their networks. There have been direct notifications to specific targets, such as government officials, whose calls were listened to and whose text messages were accessed. "President-elect Donald Trump, Vice President-elect JD Vance, senior congressional staffers and an array of US security officials were among scores of individuals to have their calls and texts directly targeted," The Wall Street Journal wrote.
For most other victims, the data accessed apparently didn't include the contents of communications. It instead consisted of metadata like the numbers that phones called and when. These people are not receiving notifications from carriers, NBC News wrote today:
The hacking campaign accessed the metadata of more than a million people, an industry source briefed on the matter said. The FBI has no plans to alert those victims, an agency official said last week, and two industry sources, one familiar with AT&T's plans and one with Verizon's, said those companies have not contacted most of them.
In an emailed statement, an AT&T spokesperson said the company "will continue to comply with our obligations to notify affected parties." A person familiar with the company's plans said that meant AT&T was notifying only a very small number of victims who had been affected. A person familiar with Verizon's plans said it had made similar outreach to a small number of customers whose communications were affected.
Notifications not required for every breach
We contacted AT&T and Verizon today and will update this article if either company provides any information. While at least eight US communications companies were affected by the Chinese hackers, AT&T and Verizon appear to be the hardest-hit. T-Mobile and Lumen (also known as CenturyLink) said last week they had no evidence that customer data was accessed.
Telecom companies aren't required to notify customers about every breach. A Federal Communications Commission order in December 2023 adopted a "harm-based notification trigger" in which "notification of a breach to consumers is not required in cases where a carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier has definitive evidence that the encryption key was not also accessed, used, or disclosed."
The FCC said that harm requiring notifications can include, but is not limited to, "financial harm, physical harm, identity theft, theft of services, potential for blackmail, the disclosure of private facts, the disclosure of contact information for victims of abuse, and other similar types of dangers."
The FCC order argued that the harm-based standard would let carriers "focus their time, effort, and financial resources on the most important and potentially harmful incidents" and protect "customers from over-notification and notice fatigue, specifically in instances where the carrier has reasonably determined that no harm is likely to occur."
Senator: Telecoms should tell customers
US Sen. Ron Wyden (D-Ore.) this week criticized the carriers for having weak security and the FCC for "let[ting] phone companies write their own cybersecurity rules." Wyden proposed legislation to beef up telecom security requirements.
A spokesperson for Wyden today said that carriers should notify the affected customers.
"Senator Wyden strongly supports the phone companies notifying their customers about the theft of their data," the spokesperson told Ars. "Not only do Americans have a right to be told that their information was stolen, but this is useful information that could result in some consumers voting with their wallets and switching service to carriers that retain less data and or have better cybersecurity."
Stanford University researchers collected and studied telephone metadata for a 2016 paper to determine how it could be used against customers. "Using crowdsourced telephone logs and social networking information, we find that telephone metadata is densely interconnected, susceptible to reidentification, and enables highly sensitive inferences," they wrote.
The FCC's December 2023 order argued that over-notification can cause customers "to change their passwords, purchase fraud alerts or credit monitoring, and freeze their credit in instances where the breach is not reasonably likely to result in any harm."
FCC: “No single factor” enough to make call
The FCC provided general guidance for carriers to determine which breaches require notification, saying that "no single factor on its own is sufficient to make a determination regarding harm to customers." Carriers should look at the "totality" of the data that was breached, the FCC said.
"For example, the disclosure of a phone number is less likely to create harm than if the number of calls to that phone number, the duration of those calls, the name of the caller, the content of the conversations, and/or other layers of information is also disclosed," the FCC order said.
The FCC specifically calls out financial information and passwords as data that would probably cause harm if obtained by hackers, but information about call metadata seems to be in a gray area legally. An FCC spokesperson declined to comment today when asked how the standard applies to call metadata.
In a different incident involving similar metadata, AT&T disclosed in July that a breach on third-party cloud platform Snowflake exposed the call and text records of nearly all of its cellular customers. In that case, AT&T said it would "provide notice to current and former customers whose information was involved along with resources to help protect their information."
The three major carriers have fought against FCC regulation of their data-handling practices. After the FCC fined the carriers for selling user location data, carriers sued and are arguing that the FCC didn't have authority to issue the penalties.
