Thursday, Senator Ron Wyden sent a letter to major U.S. telecommunications companies AT&T, T-Mobile, Sprint, and Verizon urging them to lower the amount of sensitive data they store on customers. Those large pools of data present a significant hacking risk, Wyden argued.
The letter comes a day before Wyden is scheduled to give a talk at the annual Def Con hacking conference entitled Can You Track Me Now? Why The Phone Companies Are Such A Privacy Disaster.
"I write to ask that you protect your customers’ privacy—and U.S. national security—from foreign hackers and spies by limiting the time you keep records about your customers’ communications, web browsing, app usage and movements," Wyden's letter addressed to the CEOs of each teleco reads.
In his letter Wyden points to the massive data breaches of the U.S. Office of Personnel Management (OPM), the healthcare company Anthem, and the hotel chain Starwood as examples of large organizations that store sensitive data and were subsequently hacked.
Do you work for AT&T, T-Mobile, Verizon or Sprint? Did you used to? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Telcos store different data to those organizations, but information that would still be of value to nation state adversaries. This includes location data, customers' communications, web browsing, and app usage, the letter adds. Indeed, one report from a cybersecurity firm recently claimed hackers likely working for China broke into ten phone carriers to steal metadata related to particular targets (Motherboard has not independently verified that report).
"Your companies collectively hold deeply-sensitive information about hundreds of millions of Americans. It should come as no surprise that this data is a juicy target for foreign spies," Wyden's letter adds.
It's important to note that data held by phone carriers is routinely used in criminal investigations.
The Federal Communications Commission (FCC) requires carriers to retain customers' phone records for 18 months. Telecos typically hold onto them for much longer though. AT&T keeps customer long distance and international call records as far back as 1987, as the New York Times previously reported.
"This data hoarding by telephone companies is unnecessary—firms do not need 20 years’ worth of customer records to manage their networks—and these stockpiles of Americans’ data create an irresistible target for hackers and foreign governments," Wyden's letter adds.
Wyden explicitly asks the telcos to reduce their retention of customers' records to a few weeks or couple of days, depending on the type of data.
The carriers have until September 4th to respond.
Subscribe to our new cybersecurity podcast, CYBER.