Do you work for AT&T, T-Mobile, Verizon or Sprint? Did you used to? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected] store different data to those organizations, but information that would still be of value to nation state adversaries. This includes location data, customers' communications, web browsing, and app usage, the letter adds. Indeed, one report from a cybersecurity firm recently claimed hackers likely working for China broke into ten phone carriers to steal metadata related to particular targets (Motherboard has not independently verified that report). "Your companies collectively hold deeply-sensitive information about hundreds of millions of Americans. It should come as no surprise that this data is a juicy target for foreign spies," Wyden's letter adds.
In a letter signed by Sen. Ron Wyden, a Democrat from Oregon, and Sen. Tom Cotton, a Republican from Arkansas, the senators ask Senate Sergeant at Arms Michael Stenger to provide an annual report on the number of times Senate computers have been hacked, and incidents where hackers were able to access sensitive Senate data.
It's important to note that data held by phone carriers is routinely used in criminal investigations.The Federal Communications Commission (FCC) requires carriers to retain customers' phone records for 18 months. Telecos typically hold onto them for much longer though. AT&T keeps customer long distance and international call records as far back as 1987, as the New York Times previously reported.
"This data hoarding by telephone companies is unnecessary—firms do not need 20 years’ worth of customer records to manage their networks—and these stockpiles of Americans’ data create an irresistible target for hackers and foreign governments," Wyden's letter adds.
Wyden explicitly asks the telcos to reduce their retention of customers' records to a few weeks or couple of days, depending on the type of data.
The carriers have until September 4th to respond.
Subscribe to our new cybersecurity podcast,CYBER.