A massive data breach by Chinese hacking group Salt Typhoon has compromised the personal information of over a million U.S. telecommunications customers, yet major carriers AT&T and Verizon chose to notify only select customers whose data was directly intercepted.
The breach, which targeted eight U.S. telecom and internet service providers, exposed sensitive metadata including messages, phone calls, and phone numbers. Customers in Washington, DC were particularly impacted by the intrusion.
According to recent reports, both AT&T and Verizon adopted a limited notification strategy, informing only those customers whose calls and texts were specifically intercepted. This selective approach has sparked intense criticism from privacy advocates and the tech community, who argue that all affected customers deserve to know their data was compromised.
The FBI has distanced itself from notification responsibilities, stating that carriers bear the duty of alerting customers about stolen records. "That would not typically fall to CISA or the FBI," officials noted.
Salt Typhoon successfully exploited vulnerabilities in outdated infrastructure to gain unauthorized system access. While telecom companies work to address the breach's impact, privacy experts warn that leaving millions of customers in the dark about their exposed data creates additional risks.
The incident highlights growing concerns about data protection practices and transparency in the telecommunications industry. Critics are now calling for stricter notification requirements and improved accountability measures when customer data is compromised.
The breach ranks among the most severe intrusions into U.S. telecommunications systems, yet the limited notification approach means many affected customers remain unaware their information was accessed by unauthorized parties.