Hack of Salt Typhoon: Telecom Companies Have Not Notified Affected Customers, According to a Report.

A recent report has surfaced regarding the lack of response from major telecommunications companies like AT&T and Verizon in the face of a phone data hacking campaign backed by China. According to this analysis, the full scope of the victims affected by this incident, which has been ongoing over time, has not been adequately addressed.

Last week, representatives from the FBI reported that state-sponsored Chinese hackers have not yet been fully expelled from networks in the United States. For several months, the agency has been alerting “high-value intelligence targets,” which include campaigns of figures like Donald Trump and Kamala Harris, about the magnitude of the attack, which primarily affects those who are of interest to the U.S. government. However, the vast majority of the nearly one million people who could have been impacted are likely ordinary citizens who have not yet been notified of their situation.

Telecommunications companies have not provided clarifications regarding their plans to inform affected customers. The China-backed espionage campaign, known as Salt Typhoon and detected by Microsoft, has employed advanced persistent threat (APT) attacks to infiltrate at least eight companies in the sector, with the aim of exposing individual communications. Recent investigations have revealed that this initiative has been underway for years and has involved access to data from Americans, in addition to monitoring the communications of political targets. The chairman of the Senate Intelligence Committee, Mark R. Warner, described this incident as “the worst hacking in the history of telecommunications in the U.S.”

Furthermore, it has been reported that Salt Typhoon accessed device metadata, particularly in the Washington D.C. area, which could have been used to track movements and personal communications, although this does not include the content of those communications.

On the other hand, the FCC mandates that telecommunications companies are required to notify their customers only if it has been confirmed that they have been harmed by the breach. Situations that must be reported include financial harm, physical harm, identity theft, among other similar risks. However, the interpretation of what constitutes harm and the extent of it is left to the discretion of each company. So far, most of the affected telecommunications networks have remained silent about the breach. T-Mobile, for its part, has informed its customers about an infiltration, stating that the hackers were expelled and that no customer data was accessed.