AT&T, Verizon Fail To Inform Customers About Major Salt Typhoon Hack
For the better part of the last thirty years, telecom giants and “free market” libertarian think tanks have told anybody who’d listen that gutting regulatory oversight of the U.S. wireless and broadband markets would result in near-Utopian outcomes across innovation and competition.
Instead, the reduction in both competition and real oversight resulted in regional telecom giants like AT&T and Comcast doubling down on all their worst behaviors. Americans now pay some of the highest prices in the world for spotty, sluggish broadband access and abysmal customer service.
But this mindless deregulatory mindset also harms public safety, national security, and consumer privacy. Case in point: the Congressional and regulatory failure to hold telecoms accountable for lax security and lax privacy standards keeps resulting in ugly hacking and privacy scandals that only seem to get worse.
Case in point, eight major U.S. telecoms were recently the victim of a massive intrusion by Chinese hackers who managed to spy on public U.S. officials. The “Salt Typhoon” hack was so severe, the intruders (as of last week) were still rooting around the ISP networks. AT&T and Verizon, two of the compromised companies, apparently didn’t think it was worth informing subscribers:
“The hacking campaign accessed the metadata of more than a million people, an industry source briefed on the matter said. The FBI has no plans to alert those victims, an agency official said last week, and two industry sources, one familiar with AT&T’s plans and one with Verizon’s, said those companies have not contacted most of them.”
FCC cybersecurity rules have always been pretty lax, thanks in part to industry lobbying and the self-serving quest for regulation zero. As Ars Technica notes, FCC rules only recently began to require that telecoms inform the lowly plebs — but not if the carriers pinky swear the risk of the intrusion is limited:
“A Federal Communications Commission order in December 2023 adopted a “harm-based notification trigger” in which “notification of a breach to consumers is not required in cases where a carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier has definitive evidence that the encryption key was not also accessed, used, or disclosed.”
But these hacks are almost always worse than what’s originally reported. And you can’t really trust the companies, keen on downplaying their own incompetence, with being fully transparent about the full scope of the attack. Often they have no idea. If they can’t say with confidence they have kicked the Chinese hackers out of their networks, they can’t say with any confidence what data was impacted.
T-Mobile alone was hacked eight times in the last five years because the company and executives don’t face meaningful penalties (they were also distracted by the rubber stamping of the Sprint T-Mobile merger, which was approved by the first Trump administration despite clear competitive harm). The U.S. is simply too corrupt to pass even a baseline privacy law for the internet era.
Most of the press outlets covering the Salt Typhoon hack can’t be bothered to tether mindless deregulation to the active harm to consumer privacy and national security. Senator Ron Wyden was once again at the forefront of reminding folks last week that lax regulatory oversight directly contributed to this steady parade of scandals.
Instead of shoring up telecom privacy and security oversight, Trump 2.0 will take the opposite tack: dismantling what’s left of regulatory independence and consumer protection standards to please these same giant companies. Thanks to the Trumplican stacked 5th and 6th circuits and Supreme Court, telecoms are currently in multiple courts successfully arguing the FCC has no authority to do absolutely anything our biggest telecom corporations don’t like.
What could possibly go wrong?