How the SMS Hack Exposed U.S. Telecom Security Risks

Popularly known as text messages, SMS messages are one of the widely used communication channels by Americans. They are generally used for various purposes. For instance, besides being a channel of communication among individuals, several millions of Americans rely on SMS systems to access and secure their social media, email, and online banking accounts, particularly through OTPs (one-time-passcodes), which are typically delivered via SMS. Little wonder why the system became a target for security breaches.

The recent SMS system data breach is arguably one of the largest United States infrastructure hacks and intelligence compromises in the history of the U.S. According to reports, at least eight telecommunication firms in the U.S., including Verizon, AT&T, and Lumen Technologies, have been impacted by this breach. Some agencies of the United States government allege that hackers/groups from China, known as Salt Typhoon, are on a cyber espionage campaign to infiltrate major telecom companies and steal consumers’ data. They also believe the security breach was targeted at recording phone calls in isolated cases.

The hackers have reportedly stolen a large amount of records containing information on when, where, and with whom phone users were communicating. However, no actual text or audio messages were accessed, except for some individuals in Washington, D.C. The United States government believes that this major cyberattack on some of the big U.S. telecom firms was targeted at spying on the American government and politics in a bid to collect certain information.

While the SMS system hack is believed to be focused on American government officials and politicians, experts have warned all phone consumers about the insecurity of using SMS text messages, as they are unencrypted. The United States government is still working to determine the extent of the SMS system breach. Chinese officials have denied the country was responsible for the SMS system hacking campaign.

When Was the SMS System Data Breach?

The SMS system hacking campaign was first publicly disclosed in the lead-up to the 2024 United States general election. On November 12, 2024, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint statement on the PRC (People’s Republic of China) targeting of the U.S. commercial telecommunications infrastructure. Investigations conducted by the U.S. government revealed a broad cyber espionage campaign on the nation’s telecoms infrastructure to aid the compromise of private communications of a limited number of persons involved in politics and others in government.

According to investigations, the hackers responsible for the SMS system breach generally accessed call records, live phone calls, and the CALEA systems. Accessed call records include phone numbers dialed and when the calls were made. The live phone calls accessed were those of specific targets. The CALEA systems, which telecom firms use in compliance with the Communications Assistance for Law Enforcement Act (CALEA), permit intelligence and law enforcement agencies to track people’s communications with court orders. According to the FBI, this system was also accessed by the hackers.

How to Check If Your Data Was Breached

The FBI and CISA have already notified Android and Apple users of the SMS system breach espionage campaign because they believe messages sent between Android phones and iPhones are less secure.

Generally, if you start getting text messages requesting you to reveal sensitive data like account information or passwords, it may be an indication that copies of the communications you received via text messages have been accessed by hackers. Similarly, when you receive an OTP that you never requested, it may indicate that someone is trying to access your accounts to probably obtain further identifying information or perpetrate other types of fraud.

What to Do If Your Data Was Breached

Generally, concerns about the security of SMS messaging have emerged since the attack on the United States’ largest telecom firms and the announcement of the SMS system breach. While the breach did not include personally identifying data, any information could help hackers access more data and ultimately defraud unsuspecting individuals. 

Individuals with Apple and Android devices may continue to exchange text messages with other users with the same devices because each operating system has an internally secure messaging system. However, the FBI has advised phone network consumers to adopt the use of third-party applications that provide end-to-end encryption for text messaging until the hackers have been evicted from the big telecom firms’ networks. As such, if you have concerns about the security of your SMS messaging, you are encouraged to send text messages through apps like WhatsApp and Signal to reduce the chance of hackers intercepting your messages.

Furthermore, you should consider using a cell phone that automatically detects and receives timely operating system updates, phishing-resistant MFA, and responsibly managed encryption for social media and email. While using applications that provide end-to-end encryption is good practice and strongly advised, it may not be foolproof, as hackers have other ways of intercepting users’ communications. Rebooting your cellphone periodically and installing all software updates are also advised.

Are There Any Lawsuits Because of the Data Breach?

Currently, there are no known lawsuits related to the SMS system hack on the United States telecommunication networks that went public in December 2024.

Can the Information Obtained As a Result of the SMS System Breach Be Used for Identity Theft?

Yes. Hackers may use any information obtained from intercepted communication to further access personally identifying data, which they may use for identity theft and other types of scams. For instance, if hackers intercept your text messages and obtain OTPs for your banking services, they may be able to bypass certain security controls and access confidential accounts and information, which may ultimately lead to financial fraud and identity theft. With such information in the hands of hackers, they may create new bank accounts, take out loans, and apply for credit cards.

What Can You Do to Protect Yourself Online?

Following the SMS system hack, CISA strongly encourages people to immediately apply certain best practices to their devices and online accounts to protect mobile communications and safeguard their data online. Although no single solution eliminates all risks, you may implement the following best practices to significantly enhance the protection of your sensitive information online and safeguard confidential communication against malicious cyber hackers:

• Until the issues are sorted, migrate away from SMS-based MFA because SMS messages are not encrypted. Avoid using SMS as a second factor for authentication, as SMS MFA is not resistant to phishing and, therefore, not recommended for account authentication.
• Use free messaging applications that use only end-to-end communications for all your communications, as they guarantee end-to-end encryption. In this case, WhatsApp and Signal readily come to mind, as they are both compatible with Android and iPhone operating systems.
• Enroll in a secure credit monitoring service to monitor your personal information and credit file. Such services are generally designed to alert you of any changes in your credit file, which may come in handy in the event of a data compromise,
• If your telecommunication provider offers the ability to set up additional passcodes or PINs for mobile phone accounts, consider doing so. A PIN is typically required to log into your account and complete some sensitive operations with your mobile account.
• Avoid using a personal virtual private network (VPN). Typically, VPNs shift residual risks from an internet service provider to the VPN provider, which generally increases the chances of hackers’ attacks. Most free VPN providers have unclear security and privacy policies, and it is not recommended that you use them.
• Make it a habit to regularly educate yourself on cybersecurity and the latest cyber threats using sites like IDStrong. This will largely equip you with the required knowledge to avoid falling prey to cybercrimes.
• It cannot be overstated how important it is to regularly update the operating systems and applications on your mobile devices. To ensure this, you may enable auto-update on your devices to help with timely patching of mobile applications and operating systems whenever there are new updates.
• Consider enabling fast identity online (FIDO) phishing-resistant multifactor authentication (MFA), as they are highly effective against MFA bypass techniques. Once you enroll your accounts in FIDO-based MFA, make sure to disable other less secure forms of multifactor authentication.
• Review which mobile applications can access sensitive data on your phone and restrict permissions where necessary.
• If you have reasons to believe your information has been compromised in the SMS system hack, report the incident to CISA at (844) 729-2472 or by email. Alternatively, you may report the incident online using CISA Services.