Salt Typhoon Hack Exposes Millions Of Customer’s Data But AT&T And Verizon Notify Only ‘High Value’ Customers

The US telecom industry is having a bad week – and we’re not just talking about the cybercrime group "Salt Typhoon" hacking into major telecom networks. Nor are we talking about the vulnerability in Cisco’s hardware, leading to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) releasing an advisory for telecom businesses using Cisco’s gear.

As reported previously, the Salt Typhoon hack has highlighted critical security vulnerabilities in major U.S. telecommunications networks, affecting millions of users. The latest criticism is that AT&T and Verizon only notified a small group of "high-value" users about the breach, leaving most customers unaware that their data privacy had been violated.

So, what did this major hacking operation accomplish and why were all the victims not notified about it by AT&T and Verizon?

Let's get into the specifics!
 

What Happened In The Salt Typhoon Breach?

Salt Typhoon, a Chinese state-sponsored hacking group, infected at least eight U.S. telecom carriers' networks, with AT&T and Verizon being the most seriously affected.

The hackers got hold of private information such as call logs, timestamps, phone numbers and even location data. At the outset, it was thought that more than a million people, mostly in the Washington, D.C., area, were affected.

Then, findings from the FBI’s investigation were revealed to high-profile names, such as the presidential candidates Donald Trump and Kamala Harris, as well as the office of Senate majority leader Chuck Schumer. The FBI also told the press that the Chinese state-sponsored hackers are yet to be fully evicted from the telecom networks.

Yet, criticism arose when NBC News found that high-value targets were notified promptly but millions of other users, whose metadata was accessed by Salt Typhoon, remained uninformed. Both telecom giants are now facing backlash from privacy groups for failing to inform customers about the hacking incident.

So, why did the telecom companies not notify their users?
 

Why Were AT&T And Verizon’s Customers Not Notified?

 
According to the Federal Communications Commission (FCC), telecom companies must inform customers about breaches that put them at a high risk of harm, including "financial harm, physical harm, identity theft, theft of services, potential for blackmail, the disclosure of private facts, the disclosure of contact information for victims of abuse, and other similar types of dangers."

Telecom companies have long used this rule to limit public notifications, arguing that metadata exposure alone may not meet the threshold for “harm.” However, experts argue that even a breach of metadata can be deeply intrusive, with Alan Butler, the Executive Director of the Electronic Privacy Information Center, saying that the carriers’ “deficient practices” have led to violations of privacy, whether the content was accessed or not.

In an official statement, AT&T said, “We will continue to comply with our obligations to notify affected parties.” However, unnamed sources revealed to NBC News that only a small subset of customers had actually been notified.

Similarly, Verizon claimed it contacted “only a small number” of customers directly impacted by the data interceptions but has no plans to notify others whose metadata was exposed.

Sources close to both AT&T and Verizon reported that there are currently no plans to notify most affected customers. Even NBC News, who reported the story, said that the telecom companies haven't clarified their plans to notify other customers.

So, are the telecom giants correct in following FCC’s rule or are they misinterpreting it?
 

What Are The Implications Of The Salt Typhoon Breach?

While AT&T and Verizon are unwilling to notify customers whose metadata was stolen or accessed by hackers, metadata, though not as explicit as personal data, reveals valuable patterns about an individual’s behavior, contacts and movements. Intelligence experts warn that metadata can be weaponized to map social networks, track locations and identify sensitive relationships.

In fact, Senator Ron Wyden from Oregon criticized the telecom businesses for not notifying customers and having weak security measures. He said, “Americans have a right to know when their data is stolen and this information is essential for consumers to make informed decisions.”

Cybersecurity experts, such as the Senate Intelligence Committee’s chairman Senator Mark R. Warner, called it the "worst telecom hack in U.S. history by far,” and urged telecom operators to adopt stricter security.

The breach has put the FCC under public pressure to tighten notification rules and hold telecom providers accountable for breaches. The proposed ideas include making cyber-attack readiness certifications a must for telecom operators as well as making notification rules for breaches much stricter.

While this is a silver lining, the FCC gives businesses the discretion to decide whether or not to notify users, based on the scope of the breach.
 

Conclusion

Even though telecom companies might not inform all victims, consumers are aware of the risk by keeping up with the ever-increasing news about security breaches. While the public will pressure telecom companies to better protect customer data, AT&T, Verizon and others might move to a system that notifies all affected users, not just the high-value clients.

With cybersecurity experts claiming that Salt Typhoon will keep trying to break into U.S. telecom networks and IT infrastructure, governmental agencies are keeping an eye on key telecom networks. Even lawmakers are considering passing new laws that would require telecom providers to follow stricter cybersecurity rules and inform customers about breaches in more detail.

Do you think it's fair for telecom giants like AT&T and Verizon to not notify all affected customers? Will we see more stringent regulations for securing customer data?

Tell us what you think in the comments below!