US telecoms giant AT&T disclosed a breach in July that involved six months of call and text logs in 2022 from “almost all” of its more than 100 million customers. However, in addition to exposing personal communication details for a bunch of individual Americans, the FBI was aware that its agents’ call and text records were also included in the breach. A document seen and reported for the first time by Bloomberg indicates the bureau has scrambled to mitigate any potential fallout that could lead to revelations about the identities of anonymous sources connected to investigations.
The breached data did not include the content of calls and texts, but Bloomberg reports that it would have shown communication logs for agents’ cellphone numbers and other phone numbers they used during the six-month period. It is unclear how widely the stolen data spread, if at all. WIRED reported in July that after the hackers tried to blackmail AT&T, the company paid $370,000 in an effort to remove the database. In December, US investigators charged and arrested a suspect believed to be behind the entity that threatened to leak the stolen data.
In a statement to WIRED, the FBI says: “The FBI is constantly adapting our operational and security practices as physical and digital threats evolve. The FBI has a solemn responsibility to protect the identity and safety of confidential human sources, who share information every day. provide what keeps the American people safe, often at risk to themselves.”
AT&T spokesman Alex Byers said in a statement that the company “worked closely with law enforcement to mitigate the impact on government operations” and appreciates the “thorough investigation” they conducted. “Given the increasing threat from cybercriminals and nation-state actors, we continue to increase investments in security, as well as monitor and restore our networks,” adds Byers.
The situation emerges amid ongoing revelations about another hacking campaign conducted by China’s Salt Typhoon spy group, which has compromised a number of US telecommunications services, including AT&T. This separate situation exposed call and text logs for a smaller group of specific high-profile targets, and in some cases included recordings as well as information such as location data.
As the US government scrambled to respond, one recommendation from the FBI and the Cybersecurity and Infrastructure Security Agency was for Americans to use end-to-end encrypted platforms – such as Signal or WhatsApp – to communicate. Notably, Signal stores almost no metadata about its customers and won’t reveal which accounts communicated with each other if breached. The suggestion was good advice from a privacy perspective, but was very surprising given the US Department of Justice’s historical opposition to the use of end-to-end encryption. However, if the FBI has grappled with the possibility that its own informants may have been exposed by a recent telecommunications breach, the about-face makes more sense.
If agents strictly followed protocol for investigative communications, however, the stolen AT&T call and text logs shouldn’t pose much of a threat, says former NSA hacker and Hunter Strategy vice president of research Jake Williams. Standard operating procedure should be designed to account for the possibility that call logs could be compromised, he says, and should require agents to communicate with sensitive sources using phone numbers that have never been linked to them or the U.S. government. The FBI could have warned about the AT&T breach out of an abundance of caution, Williams says, or it might have discovered that agents’ mistakes and protocol errors were embedded in the stolen data. “It wouldn’t be a counterintelligence issue unless someone wasn’t following procedure,” he says.
Williams also adds that while the Salt Typhoon campaigns only affected a relatively small group of people, they affected many telecommunications companies, and the full impact of those breaches may not yet be known.
“I am concerned about the FBI sources who may have been affected by this AT&T exposure, but more broadly, the public still does not have a full understanding of the fallout from the Salt Typhoon campaigns,” says Williams. “And it appears that the US government is still working to figure that out as well.”