3 ore fa
1
The vast majority of people whose call records have been stolen by Chinese hackers have not been notified, according to industry sources, and there is no indication that most affected people will be notified in the near future.
The FBI, AT&T and Verizon — the two telecommunications companies the hacking campaign appears to have affected most severely — have for months alerted some victims whose phone calls were listened to or texts were read. Many of those people were high-value intelligence targets related to U.S. politics and government, an FBI official said in a media call last week. The presidential campaigns of Donald Trump and Kamala Harris, as well as the office of Senate Majority Leader Chuck Schumer, D-N.Y., told NBC News in October that the FBI had informed them that they had been targeted.
The hackers accessed a different but still sensitive type of information for far more people, mostly in the Washington, D.C., area: more generalized information about phone calls and texts, called metadata. Phone companies maintain records like which phone numbers participated in calls and when those calls happened and potentially the locations of the cell towers their phones connected to.
Even if the records do not pair phone numbers with customers, intelligence services may already know targets’ numbers and use phone metadata to map out their travels and contacts.
Alan Butler, the executive director and president of the nonprofit Electronic Privacy Information Center, said having one’s phone metadata exposed is a clear violation of privacy.
“You should be upset, because carriers’ deficient practices resulting in the exposure of whether you called an oncologist or your church is enough of a violation, regardless of whether the actual content of those calls was also disclosed,” Butler told NBC News.
The hacking campaign accessed the metadata of more than a million people, an industry source briefed on the matter said. The FBI has no plans to alert those victims, an agency official said last week, and two industry sources, one familiar with AT&T’s plans and one with Verizon’s, said those companies have not contacted most of them.
In an emailed statement, an AT&T spokesperson said the company “will continue to comply with our obligations to notify affected parties.” A person familiar with the company’s plans said that meant AT&T was notifying only a very small number of victims who had been affected. A person familiar with Verizon’s plans said it had made similar outreach to a small number of customers whose communications were affected.
Both companies declined to clarify plans for alerting people whose metadata was accessed. The Federal Communications Commission, which oversees telecommunications companies’ obligations to customers whose information is breached, declined to comment.
The hacking campaign, nicknamed Salt Typhoon, is one of the largest intelligence compromises in U.S. history. It has breached eight domestic telecom and internet service providers and dozens of others around the world, and it is still ongoing, a White House official said last week. The U.S., Australia, Canada and New Zealand claim it is part of an intelligence operation conducted by China.
A spokesperson for the Chinese Embassy in Washington has denied responsibility.
While some consider phone metadata to be less sensitive than the contents of communications, it can still provide enormous value to intelligence services. In a 2014 forum, Gen. Michael Hayden, who previously directed both the CIA and the National Security Agency, said, “We kill people based on metadata.”
Dakota Cary, a China adviser at the cybersecurity company Sentinel One, said Chinese intelligence would most likely find call records, times and phone locations for the Washington area valuable.
“If they pulled the call data for the National Capital Region, that would be useful for intel,” Cary said. “Mapping the social relationships between groups of politicos would be pretty useful.”
The U.S. and Western cybersecurity companies have for years accused China’s cyberspies of systematically stealing Americans’ personal information. China has generally denied the accusations, often referring to the U.S.’ own spying efforts.
In a media call last week, the senior White House official, who asked not to be named, said that the government does not believe every American’s phone records had been exposed but that Chinese intelligence had accessed the metadata of a large number of people it would be interested in.
In the FBI media call, the official said that while it had conducted a major outreach campaign to people whose communications were accessed, it would not do so for people who only had their metadata stolen.
“The providers and/or the carriers, whatever term we want to use, would really have the responsibility to notify their customers of the stolen records. That would not typically fall to CISA or the FBI,” the FBI official said. CISA is the Cybersecurity and Infrastructure Security Agency.
“Where we’ve actually been able to prove content intercept, whether text or audio, the FBI has made individual victim notifications to all of those individuals or to their counsel,” he said.
Beyond AT&T and Verizon, other companies the Salt Typhoon campaign targeted have either said little about what the hackers accessed or said the hackers were not able to get much. Lumen, a midsize Louisiana-based internet service provider, was identified this year as a victim of Salt Typhoon, though it is unclear what the hackers sought to gain from it. A Lumen spokesperson said that the company had no evidence Chinese hackers were still in its networks and that “our federal partners have not shared any evidence that would suggest otherwise.”
Another midsize internet service provider, Charter Communications, was targeted in the Salt Typhoon campaign, a person familiar with the matter said.
Unlike other companies, T-Mobile has been relatively open with the public about having initially been infiltrated by hackers who appeared affiliated with Salt Typhoon, though it says that the hackers’ access appears to have been cut off and that no customer data was accessed.
Jeff Simon, the company’s chief security officer, said the hackers appeared to have tried to gain access through another telecommunications company.
“We were able to detect that activity rather quickly and essentially disconnect or stop it by disconnecting the connectivity to the other telecommunications provider,” he said.
Simon reiterated that the campaign was ongoing, however.
“They did not give up,” he said. “Our assumption is that this actor is not going to give up after this one round. I mean, they’re going to keep trying to get back in.”
Kevin Collier is a reporter covering cybersecurity, privacy and technology policy for NBC News.
English (US) ·