Chinese government hackers penetrated the networks of several large US-based Internet service providers and may have gained access to systems used for court-authorized wiretaps of communications networks, The Wall Street Journal reported Saturday. “People familiar with the matter” told the WSJ that hackers breached the networks of companies including Verizon, AT&T, and Lumen (also known as CenturyLink).
“A cyberattack tied to the Chinese government penetrated the networks of a swath of US broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests,” the WSJ wrote. “For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful US requests for communications data, according to people familiar with the matter.”
These “attackers also had access to other tranches of more generic Internet traffic,” according to the WSJ’s sources. The attack is being attributed to a Chinese hacking group called Salt Typhoon.
The Washington Post reported on the hacking campaign yesterday, describing it as “an audacious espionage operation likely aimed in part at discovering the Chinese targets of American surveillance.” The Post report attributed the information to US government officials and said an investigation by the FBI, other intelligence agencies, and the Department of Homeland Security “is in its early stages.”
The Post report said there are indications that China’s Ministry of State Security is involved in the attacks.
Verizon reportedly working with FBI
Verizon reportedly set up a war room at its facility in Ashburn, Virginia, where it is working with personnel from the FBI, Microsoft, and Google subsidiary Mandiant.
Wireless customers of Verizon and AT&T have found that they cannot make calls, send or receive text messages, or download any mobile data. As of this article’s publication, it appears the problem has yet to be resolved.
Users took to social media throughout the morning to complain that their phones were showing “SOS” mode, which allows emergency calls but nothing else. This is what phones sometimes offer when the user has no SIM registered on the device. Resetting the device and other common solutions do not resolve the issue. For much of the morning, Verizon offered no response to the reports.
Within hours, more than 100,000 users reported problems on the website Downdetector. The problem does not appear isolated to any particular part of the country; users in California reported problems, and so did users on the East Coast and in Chicago, among other places.
By 10 am, some AT&T users also began reporting problems. Outage maps based on user-reported data found that the outages were especially common in parts of the country otherwise affected by Hurricane Helene.
After a period of silence, Verizon acknowledged the problem in a public statement. “We are aware of an issue impacting service for some customers,” a spokesperson told NBC News and others. “Our engineers are engaged and we are working quickly to identify and solve the issue.”
However, the spokesperson did not specify why the outage was occurring. It’s not the first major online service outage this year, though. AT&T experienced an outage previously, and the CrowdStrike-related outage of Microsoft services caused chaos and made headlines in July.
Update 5: 37 PM ET: Some users are reporting they have regained service, and Verizon confirmed this in another statement: “Verizon engineers are making progress on our network issue and service has started to be restored. We know how much people rely on Verizon and apologize for any inconvenience some of our customers experienced today. We continue to work around the clock to fully resolve this issue.”
Verizon today announced a deal to acquire Frontier Communications, an Internet service provider with about 3 million customers in 25 states. Verizon said the all-cash transaction is valued at $20 billion.
Verizon agreed to pay $9.6 billion and is taking on over $10 billion in debt held by Frontier. Verizon said the deal is subject to regulatory approval and a vote by Frontier shareholders and is expected to be completed in 18 months.
“Under the terms of the agreement, Verizon will acquire Frontier for $38.50 per share in cash, representing a premium of 43.7 percent to Frontier’s 90-Day volume-weighted average share price (VWAP) on September 3, 2024, the last trading day prior to media reports regarding a potential acquisition of Frontier,” Verizon said.
Assuming regulatory and shareholder approval, Verizon will be buying back a former portion of its network that it sold to Frontier eight years ago. In 2016, Frontier bought Verizon’s FiOS and DSL operations in Florida, California, and Texas. The 2016 changeover was marred by technical problems that caused weeks of outages for tens of thousands of customers.
“Frontier’s 2.2 million fiber subscribers across 25 states will join Verizon’s approximately 7.4 million FiOS connections in 9 states and Washington, D.C.,” Verizon said. “In addition to Frontier’s 7.2 million fiber locations, the company is committed to its plan to build out an additional 2.8 million fiber locations by the end of 2026.”
Combined, the Verizon and Frontier fiber networks pass over 25 million premises in 31 states and the District of Columbia, the companies said. Verizon and Frontier both “expect to increase their fiber penetration between now and closing,” they said.
Frontier “complementary” to Verizon’s Northeast market
Frontier has 2.05 million residential fiber customers and 721,000 residential copper DSL customers, according to an earnings report. In the business and wholesale category, Frontier has 134,000 fiber customers and 102,000 copper customers. Frontier reported $1.48 billion in revenue in Q2 2024 and a net loss of $123 million.
Verizon said Frontier’s recent investment in fiber made it a more attractive acquisition target. “Over approximately four years, Frontier has invested $4.1 billion upgrading and expanding its fiber network, and now derives more than 50 percent of its revenue from fiber products,” Verizon said.
Verizon FiOS is available in parts of Connecticut, Delaware, Maryland, Massachusetts, New York, New Jersey, Virginia, Rhode Island, Pennsylvania, and the District of Columbia. Verizon said Frontier’s footprint is “highly complementary to Verizon’s core Northeast and Mid-Atlantic markets,” and will help grow the number of customers who purchase both home Internet and mobile service.
Frontier is available in parts of Alabama, Arizona, California, Connecticut, Florida, Georgia, Illinois, Indiana, Iowa, Michigan, Minnesota, Mississippi, Nebraska, Nevada, New Mexico, New York, North Carolina, Ohio, Pennsylvania, South Carolina, Tennessee, Texas, Utah, West Virginia, and Wisconsin.
Major record labels sued Verizon on Friday, alleging that the Internet service provider violated copyright law by continuing to serve customers accused of pirating music. Verizon “knowingly provides its high-speed service to a massive community of online pirates,” said the complaint filed in US District Court for the Southern District of New York.
Universal, Sony, and Warner say they have sent over 340,000 copyright infringement notices to Verizon since early 2020. “Those notices identify specific subscribers on Verizon’s network stealing Plaintiffs’ sound recordings through peer-to-peer (‘P2P’) file-sharing networks that are notorious hotbeds for copyright infringement,” the lawsuit said.
Record labels allege that “Verizon ignored Plaintiffs’ notices and buried its head in the sand” by “continu[ing] to provide its high-speed service to thousands of known repeat infringers so it could continue to collect millions of dollars from them.” They say that “Verizon has knowingly contributed to, and reaped substantial profits from, massive copyright infringement committed by tens of thousands of its subscribers.”
The firms allege that Verizon is guilty of contributory and vicarious copyright infringement and should have to pay damages of up to $150,000 for each work infringed. Plaintiffs filed what they call a “non-exhaustive” list of infringed works that includes 17,335 titles. That would imply requested damages of over $2.6 billion.
Numerous lawsuits against ISPs
Record labels and movie studios have filed numerous copyright lawsuits against Internet providers. Perhaps the most significant ongoing case involves Cox Communications, which has been fighting a $1 billion jury verdict since 2019.
Cox received support from groups such as the Electronic Frontier Foundation, which warned that the big money judgment could cause broadband providers to disconnect people from the Internet based only on accusations of copyright infringement. The US Court of Appeals for the 4th Circuit overturned the $1 billion verdict in February 2024, rejecting Sony’s claim that Cox profited directly from copyright infringement committed by users of Cox’s cable broadband network.
While judges in the Cox case reversed a vicarious liability verdict, they affirmed the jury’s additional finding of willful contributory infringement and ordered a new damages trial.
Cox recently said it is seeking a Supreme Court review on the questions of “whether an Internet service provider materially contributes to copyright infringement by declining to disconnect an Internet account knowing someone is likely to use it to infringe,” and “whether a secondary infringer can be adjudged willful based merely on knowledge of another’s direct infringement.” There is a circuit split on both questions, Cox said.
4,450 notices about one IP address
In the Verizon case, record labels claim that thousands of Verizon subscribers “were the subject of 20 or more notices from Plaintiffs, and more than 500 subscribers were the subject of 100 or more notices. One particularly egregious Verizon subscriber was single-handedly the subject of 4,450 infringement notices from Plaintiffs alone.”
That Verizon subscriber’s IP address was identified in 4,450 infringement notices between March 2021 and August 2023, the lawsuit said. Two other subscribers were allegedly the subject of 2,703 and 2,068 infringement notices, respectively.
“Verizon acknowledged that it received these notices of infringement sent by Plaintiffs’ representatives,” the lawsuit said. “Yet rather than taking any steps to address its customers’ illegal use of its network, Verizon deliberately chose to ignore Plaintiffs’ notices, willfully blinding itself to that information and prioritizing its own profits over its legal obligations.”
The plaintiffs claim that “Verizon has gone out of its way not to take action against subscribers engaging in repeated copyright infringement,” and “failed to terminate or otherwise take any meaningful action against the accounts of repeat infringers of which it was aware.”
“It is well-established law that if a party materially assists someone it knows is engaging in copyright infringement, that party is fully liable for the infringement as if it had infringed directly,” the lawsuit said.
Complaint system too onerous, suit claims
The lawsuit also complains that Verizon hasn’t made it easier for copyright owners to file complaints about Internet users:
Through one channel, Verizon claims to allow copyright holders to send P2P notices through a so-called “Anti-Piracy Cooperation Program,” but it has attached such onerous conditions to participation that the program is rendered a nullity. Not only has Verizon required participants to pay burdensome fees for simple, automated processes like Internet Protocol (“IP”) address lookups and notice forwarding, but participants have been required to waive their copyright claims, broadly indemnify Verizon, and, tellingly, keep the terms of the program confidential. Verizon has also limited the number of notices it will forward pursuant to the program.
The lawsuit said Verizon also allows copyright owners to send email notices of infringement instead of using the channel described above. The email method apparently doesn’t require copyright owners to waive their copyright claims or make payments, but the lawsuit alleges that “Verizon does not forward these notices to subscribers or track the number of email notices sent regarding repeat infringing subscribers. Verizon also arbitrarily caps the number of notices permitted per copyright holder at this address—ironic, to say the least, given that Verizon ignored hundreds of thousands of Plaintiffs’ notices to this email inbox.”
We contacted Verizon about the lawsuit and will update this article if it provides a response.
T-Mobile, Verizon, and AT&T will pay a combined $10.2 million in a settlement with US states that alleged the carriers falsely advertised wireless plans as “unlimited” and phones as “free.” The deal was announced yesterday by New York Attorney General Letitia James.
“A multistate investigation found that the companies made false claims in advertisements in New York and across the nation, including misrepresentations about ‘unlimited’ data plans that were in fact limited and had reduced quality and speed after a certain limit was reached by the user,” the announcement said.
T-Mobile and Verizon agreed to pay $4.1 million each while AT&T agreed to pay a little over $2 million. The settlement includes AT&T subsidiary Cricket Wireless and Verizon subsidiary TracFone.
The settlement involves 49 of the 50 US states (Florida did not participate) and the District of Columbia. The states’ investigation found that the three major carriers “made several misleading claims in their advertising, including misrepresenting ‘unlimited’ data plans that were actually limited, offering ‘free’ phones that came at a cost, and making false promises about switching to different wireless carrier plans.”
“AT&T, Verizon, and T-Mobile lied to millions of consumers, making false promises of free phones and ‘unlimited’ data plans that were simply untrue,” James said. “Big companies are not excused from following the law and cannot trick consumers into paying for services they will never receive.”
States have options for using money
The carriers denied any illegal conduct despite agreeing to the settlement. In addition to payments to each state, the carriers agreed to changes in their advertising practices. It’s unclear whether consumers will get any refunds out of the settlement, however.
The settlement gives states leeway in how to use the payments from carriers. The payments can be used to cover “attorneys’ fees and other costs of investigation and litigation,” or can go toward “consumer protection law enforcement funds.”
States can use the payments for future consumer protection enforcement, consumer education, litigation, or a consumer aid fund. The money can also be used for “monitoring and potential enforcement” of the settlement terms “or consumer restitution,” the settlement says.
We asked James’ office about whether any consumer restitution is planned and will update this article if we get a response.
Advertising restrictions
The three carriers agreed that all advertisements to consumers must be “truthful, accurate and non-misleading.” They also agreed to the following changes, the NY attorney general’s office said:
“Unlimited” mobile data plans can only be marketed if there are no limits on the quantity of data allowed during a billing cycle.
Offers to pay for consumers to switch to a different wireless carrier must clearly disclose how much a consumer will be paid, how consumers will be paid, when consumers can expect payment, and any additional requirements consumers have to meet to get paid.
Offers of “free” wireless devices or services must clearly state everything a consumer must do to receive the “free” devices or services.
Offers to lease wireless devices must clearly state that the consumer will be entering into a lease agreement.
All “savings” claims must have a reasonable basis. If a wireless carrier claims that consumers will save using its services compared to another wireless carrier, the claim must be based on similar goods or services or differences must be clearly explained to the consumer.
The advertising restrictions are to be in place for five years.
T-Mobile provided a statement about the settlement to Ars today. “After nine years, we are glad to move on from this industry-wide investigation with this settlement and a continued commitment to the transparent and consumer-friendly advertising practices we’ve undertaken for years,” T-Mobile said.
AT&T and Verizon declined to comment individually and referred us to their lobby group, CTIA. “These voluntary agreements reflect no finding of improper conduct and reaffirm the wireless industry’s longstanding commitment to clarity and integrity in advertising so that consumers can make informed decisions about the products and services that best suit them,” the wireless lobby group said.
T-Mobile is reportedly close to buying a portion of the regional carrier US Cellular, while Verizon has also held talks about buying some of US Cellular’s assets. “T-Mobile is closing in on a deal to buy a chunk of the regional carrier for more than $2 billion, taking over some operations and wireless spectrum licenses, according to people familiar with the matter,” The Wall Street Journal reported yesterday.
When contacted by Ars today, T-Mobile said it doesn’t “comment on rumors and speculation.” We contacted US Cellular and will update this article if we get a response.
The WSJ reports that a T-Mobile/US Cellular “deal could be reached as soon as later this month.” Verizon reaching its own deal with US Cellular could result in “separate transactions that would give both buyers access to valuable airwaves,” the report said.
While the WSJ report said that T-Mobile and Verizon are both “in discussions to carve up US Cellular,” a deal between US Cellular and Verizon appears to be less likely than the proposed T-Mobile transaction. Verizon declined to comment, but a source close to the issue told Ars that Verizon is not currently in talks with US Cellular.
The WSJ report paraphrases sources as saying that US Cellular’s “discussions with Verizon on a separate transaction are expected to take longer or might not result in an agreement.” The news report states that the “split-sale structure is designed to convince antitrust authorities who will review the deal that the tie-up won’t hurt competition.”
US Cellular may survive as smaller company
US Cellular would apparently stick around in some form even if it completes deals with both major carriers, the WSJ report said:
US Cellular offers wireless service to more than four million mostly rural customers across 21 states from Oregon to North Carolina. It also owns more than 4,000 cellular towers that weren’t part of the latest sale talks. The company has a market value of about $3 billion.
Members of the Chicago-based Carlson family control Telephone & Data Systems (TDS), which in turn owns 80 percent of U.S. Cellular. TDS last year put the wireless company’s operations on the block as it struggled with competition from national rivals and cable-broadband providers.
The rising value of wireless licenses is a driving force behind the deal. US Cellular’s spectrum portfolio touches 30 states and covers about 51 million people, according to regulatory filings.
Spectrum has become more valuable partly because Congress let the Federal Communications Commission’s authority to auction spectrum expire in March 2023. FCC Chairwoman Jessica Rosenworcel has urged Congress to restore the spectrum authority the agency held for over 30 years, calling spectrum auctions “an indispensable tool for harnessing the promise of new wireless technologies.”
The Federal Communications Commission today said it fined T-Mobile, AT&T, and Verizon $196 million “for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”
The fines relate to sharing of real-time location data that was revealed in 2018. The FCC proposed the fines in 2020, when the commission had a Republican majority, and finalized them today.
All three major carriers vowed to appeal the fines after they were announced today. The three carriers also said they discontinued the data-sharing programs that the fines relate to.
The fines are $80.1 million for T-Mobile, $57.3 million for AT&T, and $46.9 million for Verizon. T-Mobile is also on the hook for a $12.2 million fine issued to Sprint, which was bought by T-Mobile shortly after the penalties were proposed over four years ago.
The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained. This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.
“Shady actors” got hold of data
The problem first came to light with reports of customer location data “being disclosed by the largest American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a ‘location-finding service’ operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals,” the FCC said.
Chairwoman Jessica Rosenworcel said that news reports in 2018 “revealed that the largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors. This ugly practice violates the law—specifically Section 222 of the Communications Act, which protects the privacy of consumer data.”
For a time after the 2018 reports, “all four carriers continued to operate their programs without putting in place reasonable safeguards to ensure that the dozens of location-based service providers with access to their customers’ location information were actually obtaining customer consent,” the FCC said.
The three carriers are ready to challenge the fines in court. “This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted,” T-Mobile said in a statement provided to Ars. “We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it.”
After finding “more than 100 readings with elevated lead near cables,” the EPA sent letters to AT&T and Verizon in December, requesting a meeting later this month, the Journal revealed. On the agenda, the EPA expects the companies to share internal data on their own testing of the cables, as well as details from any “technical reports related to the companies’ testing and sampling,” the WSJ reported.
The EPA’s investigation was prompted by a WSJ report published last July, alleging that AT&T, Verizon, and other companies were aware that thousands of miles of cables could be contaminating soils throughout the US, “where Americans live, work and play,” but did nothing to intervene despite the many public health risks associated with lead exposure.
In that report, tests showed that the telecom cables were likely the source of lead contaminated soils because “the amount measured in the soil was highest directly under or next to the cables and dropped within a few feet.” WSJ also spoke to residents and former telecom employees in areas tested who had contracted illnesses commonly linked to lead exposure.
Immediately, WSJ’s report spurred lawmakers to demand a response from USTelecom—a telecommunications trade association representing companies accused—with Senator Ed Markey (D-Mass.) suggesting that telecom giants were seemingly committing “corporate irresponsibility of the worst kind.”
Since then, the EPA has followed up and developed “its own testing data” in West Orange, New Jersey, southwest Pennsylvania, and Louisiana—the same locations flagged by the WSJ. In all locations, the EPA found lead contamination exceeding the “current recommendation for levels of lead it believes are generally safe in soil where children play,” 400-parts-per-million, the WSJ reported. In West Orange, two testing sites found lead “at 3,300 parts per million or higher.”
According to the EPA, initial testing by a national working group led to a conclusion that none of these sites poses an immediate health risk or requires an emergency response, but that finding hasn’t stopped the probe. The EPA told the WSJ that it still needs to address unanswered questions to decide “whether further actions may be required to address risks from the lead-containing cables.”
“While some locations sampled show concentrations above screening levels for long term exposures, existing data is not sufficient to determine whether lead from the cables poses a threat, or a potential threat, to human health or the environment,” the EPA said in a Reuters report.
Companies maintain that evidence from their own testing has shown lead cables do not pose public health risks requiring remediation.
USTelecom, speaking on behalf of Verizon and other telecom companies, told the WSJ that “our industry has been engaging with the EPA and our companies look forward to meeting with the EPA to discuss agency and industry testing results. We will continue to follow the science, which has not identified that lead-sheathed telecom cables are a leading cause of lead exposure or the cause of a public health issue.”
AT&T told the WSJ that it “will continue to work collaboratively with the EPA as it undertakes its review of lead-clad telecommunications cables. We look forward to the opportunity to meet with the EPA to discuss recent testing and other evidence that contradicts the Wall Street Journal’s assertions.”
An EPA spokesperson, Nick Conger, told Bloomberg that there is no date set for the meeting yet.
Verizon Wireless gave a female victim’s address and phone logs to an alleged stalker who pretended to be a police officer, according to an affidavit filed by an FBI special agent. The man, Robert Michael Glauner, was later arrested near the victim’s home and found to be carrying a knife at the time, according to the affidavit submitted in court yesterday.
Glauner allegedly traveled from New Mexico to Raleigh, North Carolina, after finding out where she lived and, before arriving, sent a threatening message that said, “if I can’t have you no one can.” He also allegedly threatened to send nude photos of the victim to her family members.
Glauner was charged yesterday with stalking and fraud “in connection with obtaining confidential phone records” in US District Court for the Eastern District of North Carolina. We aren’t posting or linking directly to the court record because it seems to contain the victim’s home address. The incident was previously reported by 404 Media.
Glauner and the victim met in August or September 2023 on xhamster.com, a porn website with dating features, and “had an online romantic relationship,” the affidavit said. The victim ended the relationship, but Glauner “continued to contact or try to contact” her, the document said.
Glauner tricked Verizon into providing sensitive information by sending an email and fake search warrant to [email protected], the email address for the Verizon Security Assistance Team (VSAT), which handles legal requests. Verizon didn’t realize the request was fraudulent even though it came from a Proton Mail address rather than from a police department or other governmental agency, according to the affidavit filed yesterday by FBI Special Agent Michael Neylon.
Fake cop, forged judge’s signature
An email to Verizon from “[email protected]” on September 26, 2023, said, “Here is the pdf file for search warrant. We are in need if the [sic] this cell phone data as soon as possible to locate and apprehend this suspect. We also need the full name of this Verizon subscriber and the new phone number that has been assigned to her. Thank you.”
The email’s attached document contained a fake affidavit written by “Detective Steven Cooper” of the Cary, North Carolina Police Department. The Cary Police Department confirmed that no officer named Steven Cooper is employed by their agency, Neylon wrote.
VSAT received a phone call the same day from a man identifying himself as Cooper, who stated that he needed information on a suspect in a homicide case. “The caller stated that the person involved changed her phone number,” Neylon wrote.
The fake affidavit asked for the new phone number as well as “call records both outgoing and incoming” and “locations and text messages incoming and outgoing.” The affidavit for a search warrant was supposedly approved by Superior Court Judge Gale Adams.
Adams is a real judge and she later confirmed to authorities “that the signature displayed on the document was not hers,” Neylon wrote. Neylon’s affidavit also said the “search warrant” was “not in the proper format and does not have form AOC-CR-119, as required for State of North Carolina search warrants.”
Verizon provides address and phone logs
But after reviewing the email and document sent by “Cooper,” Verizon provided an address and phone logs. “On October 5, 2023, Verizon Wireless provided Victim 1’s phone records, including address and phone logs, to Glauner,” according to Neylon’s affidavit.
Verizon’s website says that the Verizon Security Assistance Team ensures that “court orders, search warrants, subpoenas and other legal demands served upon Verizon are processed confidentially and in compliance with all applicable law.”
“Verizon Security Assistance Team will only accept valid legal demands (subpoena, court order or search warrant) for records,” the VSAT webpage says.
We contacted Verizon about the incident today and will update this article if we get a response. A Verizon spokesperson told 404 Media that the company is cooperating with law enforcement on this matter.