Skip to content
Chimera readability score 69 out of 100, Academic reading level.

From massive carrier breaches to nation-state espionage campaigns, communications metadata has become a valuable target for cybercriminals, intelligence agencies, and regulators alike.
Key takeaways
- Communications metadata is more revealing than many people realize. When combined with other data sources, it can expose relationships, routines, locations, and behavioral patterns.
- Recent telecom breaches demonstrate the real-world impact of CPNI exposure. Communications data is a valuable target for both financially motivated threat actors and nation-state intelligence operations.
- Regulators are treating telecom privacy as a growing security issue. Telecom providers now face greater expectations around protecting customer data, reporting breaches, and maintaining security controls.
Customer Proprietary Network Information (CPNI) is data generated by wireless subscriber activity and collected by telecommunications companies. CPNI includes the time, date, duration, and destination number of a call, and some subscription information such as the number of lines on an account. The CPNI data designation does not include financial information or sensitive personal information like credit card data or Social Security numbers.
We have previously discussed Personally Identifiable Information (PII), which is a broader category of data than CPNI. PII includes names, addresses, phone numbers, email addresses, and other data that can be used to identify a specific individual or device. There is no overlap between the formal designations of CPNI and PII, but there are times when CPNI can become PII. This occurs when the CPNI data is linked to a specific person through a phone number, account number or other subscriber information.
CPNI breaches: bigger, bolder, and harder to ignore
The 2023 AT&T vendor breach affecting 9 million customers was our first big example of a CPNI breach that involved PII. That looks modest in retrospect. In 2024, AT&T disclosed two separate incidents that together affected well over 100 million current and former customers.
The first, announced in March 2024, involved the leak of data for 73 million current and former subscribers — data that had reportedly been sitting on a criminal forum for years before AT&T acknowledged it publicly. The second, disclosed in July 2024, was larger in scope: attackers accessed AT&T's Snowflake cloud environment and downloaded call and text message records for nearly all of its wireless customers — approximately 110 million people. The stolen data covered a six-month period in 2022 and included phone numbers, call records, text message records, and for some customers, location-adjacent data like cell site identifiers. No names, Social Security numbers or financial data were taken — but the call record haul was a textbook example of CPNI exposure at scale. AT&T later acknowledged paying approximately $370,000 in bitcoin to a member of the ShinyHunters hacking group in exchange for deletion of some of the stolen data. Mandiant attributed the Snowflake breach to UNC5537, a financially motivated criminal group.
Why does a pile of call records matter if your name isn't attached? Because metadata tells a story. Who you called, how often, and when — combined with subscriber data linking those numbers to identities — is enough to reconstruct relationships, routines, and in some cases, sensitive personal situations. Investigators, journalists, attorneys, abusers, and stalkers all have reasons to want that picture. Threat actors have reasons to sell it.
Salt Typhoon: when CPNI becomes a national security issue
The AT&T Snowflake breach was criminal and financially motivated. Salt Typhoon is something else entirely.
Salt Typhoon is an advanced persistent threat (APT) group linked to the People’s Republic of China (PRC) Ministry of State Security (MSS). Beginning as early as 2021 and escalating through 2024, the group infiltrated at least nine major U.S. telecommunications companies, including AT&T, Verizon, Lumen Technologies, and T-Mobile. The compromise was described by Senator Mark Warner as “the worst telecom hack in our nation’s history.”
Salt Typhoon didn't just steal CPNI. The group accessed metadata for over a million users in the Washington, D.C. area, obtained audio recordings of calls made by senior government officials and political figures, and — most alarmingly — infiltrated the wiretapping systems mandated by the Communications Assistance for Law Enforcement Act (CALEA). Those systems, designed to give law enforcement court-authorized access to communications, became an entry point for Chinese intelligence. The attackers could see who was under surveillance, access intercepted data, and map the communication patterns of U.S. intelligence targets.
The campaign didn't stop after public disclosure. Recorded Future documented Salt Typhoon breaching five additional telecom firms between December 2024 and January 2025. By August 2025, the FBI confirmed the group had compromised at least 200 companies across 80 countries. In June 2025, Viasat — a satellite communications provider relied on by the U.S. military — was named as a victim, indicating a deliberate expansion into space-based infrastructure.
The U.S. government sanctioned Sichuan Juxinhe Network Technology Co., Ltd. and affiliated individuals in January 2025 for their direct role in supporting Salt Typhoon. The Cyber Safety Review Board was investigating the breach when the current administration disbanded it in March 2025 before the investigation concluded.
Salt Typhoon is a useful reminder that CPNI isn't just a compliance category. Communications metadata and subscriber data are intelligence assets, and nation-states are willing to invest heavily to obtain them.
The regulatory landscape has changed significantly
In 2023, CPNI rules were enforced primarily under regulations that had been in place since 2007, with modest updates over the years. That changed in February 2024, when the FCC issued a landmark Report and Order substantially expanding breach notification requirements for telecommunications carriers, interconnected Voice over Internet Protocol (VoIP) providers, and telecommunications relay services (TRS).
The key changes from the 2024 FCC Order include:
- Scope expanded beyond CPNI: Previously, breach notification obligations applied only to CPNI. The 2024 Order expanded coverage to include all personally identifiable information (PII) carriers hold on their customers — names, addresses, government-issued ID numbers, usernames, passwords, and more.
- Inadvertent breaches now count: The prior definition of "breach" required intentional unauthorized access. The new definition includes inadvertent access, use, or disclosure of covered data — including mishandled customer lists, misdirected emails, and similar accidents, not just threat-actor intrusions.
- FCC added as required notification recipient: Carriers must now notify the FCC in addition to the Secret Service and FBI within seven business days of discovering a reportable breach. The threshold for mandatory notification to federal agencies is 500 or more customers affected, or a reasonable likelihood of customer harm.
- Faster customer notification: The old rules included a waiting period before notifying customers after law enforcement was informed. The new rules require prompt customer notification. Carriers may omit notification only if they can reasonably determine no harm to customers is likely, or if the breach involved only encrypted data with an uncompromised key.
Carriers challenged the 2024 Order in court. On August 13, 2025, the Sixth Circuit Court of Appeals upheld the rules in Ohio Telecom Association v. FCC, affirming the FCC's authority to regulate carrier security practices under the Communications Act. The revised rules are now settled law. Carriers should be prepared to comply, including updating incident response programs and implementing appropriate encryption for both CPNI and PII.
As always, some states maintain stricter rules. Arizona requires subscriber opt-in before carriers can use CPNI for marketing. California mandates more comprehensive consumer disclosures. These requirements layer on top of federal rules, not beneath them. When in doubt, check the FCC's enforcement guidance or consult counsel.
What can you actually do about it?
You can't prevent a Salt Typhoon-scale attack on your carrier's infrastructure. But you can reduce your exposure and limit how your data is used and shared.
- Use strong, unique credentials with multifactor authentication (MFA). The AT&T Snowflake breach succeeded in part because cloud database accounts lacked multifactor authentication. That same principle applies to your own accounts — your carrier account, your email, everything.
- Opt out of CPNI data sharing. Carriers default to using and sharing your data unless you opt out. Contact your carrier directly or visit their opt-out pages. The major carriers have published information on how to restrict use of your data:
- Verizon CPNI and opt-out information
- T-Mobile privacy and opt-out information
- AT&T CPNI and opt-out information
- Use a VPN over cellular rather than public Wi-Fi. Public networks expose your device activity and data. A VPN over cellular or a trusted Wi-Fi connection significantly reduces that exposure.
- Watch for privacy policy updates. Carriers can change how they use your data at any time, and your continued use of the service is typically treated as consent. Review notices when they arrive.
- Consider end-to-end encrypted messaging. The Salt Typhoon campaign demonstrated that traditional SMS and phone calls can be intercepted at the infrastructure level. Apps that use end-to-end encryption (such as Signal) protect message content from interception even if the carrier network is compromised.
CPNI is no longer just a telecom issue
CPNI looked like a narrow, technical regulatory category when this blog was first written. The past two years have demonstrated that communications metadata — call records, subscriber data, usage patterns — sits at the intersection of consumer privacy, financial crime, and national security. The regulatory framework has kept pace, at least partially. The FCC's 2024 rules are now upheld and in effect. But rules don't stop determined nation-state actors, and they don't prevent carriers from monetizing your data in ways you haven't explicitly restricted.
The best day to contact your wireless carrier and opt out of CPNI usage was two years ago. The second best day is today.
2026 Email Threats Report
Learn how AI and phishing-as-a-service are reshaping the email threat landscape and how to stay protected
Subscribe to the Barracuda Blog.
Sign up to receive threat spotlights, industry commentary, and more.
The Managed XDR Global Threat Report
Key findings about the tactics attackers use to target organizations and the security weak spots they try to exploit

Facts Only

* CPNI is data generated by wireless subscriber activity collected by telecommunications companies.
* CPNI includes time, date, duration, and destination number of a call, along with subscription information like the number of lines on an account.
* CPNI does not include financial information or Social Security numbers.
* CPNI can become PII when linked to a specific person via subscriber information.
* An AT&T breach involved data for 73 million current and former subscribers.
* A subsequent incident affected approximately 110 million wireless customers, including call records and text messages from a six-month period in 2022.
* The Salt Typhoon group infiltrated major U.S. telecom companies including AT&T, Verizon, Lumen Technologies, and T-Mobile between 2021 and 2024.
* The Salt Typhoon group accessed metadata for over a million users in the Washington, D.C. area.
* The group accessed audio recordings of calls made by senior government officials.
* The FCC issued a landmark Report and Order in February 2024 expanding breach notification requirements.
* The new rules expand coverage to include PII carriers hold on customers and account information.
* Carriers must notify the FCC, Secret Service, and FBI within seven business days of discovering a reportable breach affecting 500 or more customers or posing a reasonable likelihood of harm.

Executive Summary

Communications metadata, which includes details on call times, duration, and destinations, is a valuable target for cybercriminals and intelligence agencies because it can reveal relationships, routines, and behavioral patterns when combined with other data sources. Recent telecom breaches illustrate the real-world impact of exposing Customer Proprietary Network Information (CPNI). CPNI encompasses subscriber activity details such as call records and account information, although it excludes highly sensitive financial details like credit card numbers. While CPNI is distinct from Personally Identifiable Information (PII), linking CPNI data to specific individuals can result in PII exposure. The scale of CPNI breaches has increased, exemplified by the AT&T incidents involving call and text records for millions of customers. Furthermore, state and federal regulations have evolved; a 2024 FCC Order expanded breach notification requirements to include PII carriers, included inadvertent breaches, and mandated faster customer notifications. While regulatory changes and carrier compliance are in place, the potential for metadata to be used as an intelligence asset by nation-states remains a significant concern.

Full Take

The narrative shifts from a narrow regulatory compliance issue to an intelligence asset issue when viewing communications metadata through the lens of adversarial state activity. The key pattern is the operationalization of seemingly benign data—call logs and subscriber information—into high-value intelligence, as demonstrated by the Salt Typhoon operation targeting infrastructure, wiretapping systems, and government communication patterns. This suggests that the primary vulnerability is not just regulatory compliance, but the intrinsic value assigned to connectivity records by sophisticated actors. The evolution of CPNI regulation shows a reactive shift, where post-incident failures force regulators to expand scope, including inadvertent breaches and notification timelines. This establishes a pattern where legal frameworks struggle to keep pace with systemic threat evolution; laws are updated after breaches have occurred rather than anticipating the intelligence utility of the data itself. The suggested mitigation strategies—MFA, opting out, and end-to-end encryption—represent layered defense mechanisms against this flow of information. The core implication is that cognitive sovereignty requires recognizing metadata not as mere commercial transaction logs but as a potentially actionable geopolitical signal, compelling individuals to understand the architecture of their data exposure beyond simple privacy settings. What level of systemic resistance is required when nation-state actors can successfully pivot through mandated legal access points like CALEA?
The language of data privacy: What is CPNI and why should you care? — Arc Codex