US telecommunications giant AT&T disclosed in July a breach that included the call and text message logs from six months of 2022 of “almost all” of its more than 100 million customers. But in addition to revealing details of the personal communications of a number of individual Americans, the FBI warned that call and text records of its agents were also included in the breach. Document seen and first reported by Bloomberg indicates that the Office was trying to mitigate any possible consequences that might lead to revelations about the identity of anonymous sources connected to the investigations.
The breached data did not include the content of calls and messages, but Bloomberg reports that it would show communication records for agents’ mobile numbers and other phone numbers they used over a six-month period. It’s unclear how far the stolen data has spread, if at all. WIRED reported in July that after hackers tried to extort AT&T, the company paid $370,000 in an attempt to delete the data. In December, American investigators charged and arrested a suspect who allegedly he was behind the entity that threatened to release the stolen data.
In a statement to WIRED, the FBI said, “The FBI is constantly adapting its operational and security practices as physical and digital threats evolve. The FBI has a great responsibility to protect the identity and safety of confidential human sources, who provide information that protects the American people every day, often at risk to themselves.”
AT&T spokesman Alex Byers says in a statement that the company “worked closely with law enforcement to mitigate the impact on government operations” and appreciates the “thorough investigation” they conducted. “Given the growing threat from cybercriminals and government actors, we continue to increase investments in security, as well as monitoring and remediating our networks,” adds Byers.
The situation comes to light amid ongoing revelations about another hacking campaign by Chinese spy group Salt Typhoon that has compromised a number of US telecoms, including AT&T. This separate situation exposed call and text message logs for a small group of certain high-profile targets, and in some cases included recordings as well as information such as location data.
As the US government tried to respond, one FBI recommendation and the Cybersecurity and Infrastructure Security Agency was for Americans to use end-to-end encrypted platforms—like Signal or WhatsApp— to communicate. In particular, Signal stores almost no metadata about its customers and would not reveal which accounts were communicating with each other if they were breached. The suggestion was good advice from a privacy perspective, but it was very surprising from the perspective of the US Department of Justice historical opposition to use end-to-end encryption. But if the FBI is grappling with the possibility that its informants may have been exposed by the recent wiretapping, the turnaround makes more sense.
But if agents were to strictly monitor investigative communications, stolen AT&T call and text records shouldn’t pose much of a threat, says former NSA hacker and vice president of research at Hunter Strategy Jake Williams. Standard operating procedure should be designed to account for the possibility of compromising call records, he says, and should require agents to communicate with sensitive sources using phone numbers that have never been associated with them or the US government. The FBI may have warned of the AT&T breach because of an overabundance of caution, Williams says, or it may have discovered that agent errors and protocol errors were caught in the stolen data. “This wouldn’t be a counterintelligence issue unless someone followed procedure,” he says.
Williams also adds that while the Salt Typhoon campaigns are known to have only affected a relatively small group of people, they have affected many telecoms, and the full impact of these breaches is still unknown.
“I worry about FBI sources who may have been affected by this AT&T exposure, but more broadly, the public still doesn’t have a full understanding of the ramifications of the Salt Typhoon campaigns,” Williams says. “It seems the US government is still working to figure that out as well.”