If you're a journalist who used AT&T between May 1 and Oct. 31, 2022, you're going to want to revisit your call and text history from that time and see which of your sources you were communicating with. On July 12, we learned that AT&T suffered a breach of text and phone records from “nearly all” customers. Not only are your source communication records potentially exposed, but your sources’ records might be exposed if they used AT&T during this period.

We don’t yet know how widespread the hacked data is, and it’s therefore too soon to say what the impact of this attack will be. But we can say that this incident calls attention to a massive weak point in our telecommunications infrastructure: The service provider retains records of your conversations. This metadata — information about your conversations — is vulnerable to exposure not only through legal requests but also through successful hacking attempts like this one.

This breach underscores the risks behind call and text metadata. This isn't a theoretical concern. For example, in 2021 a Treasury Department whistleblower was sentenced to six months in prison after being identified — through WhatsApp metadata — communicating with a BuzzFeed News reporter.

Compared to traditional text or phone calls, Signal handles metadata much more safely. Unlike your telecom provider, Signal doesn't retain logs of your calls and texts on their servers. Your activities are only stored on your device and with anyone you speak to. If you’re not using Signal, get started here. If you’re already using it, learn how to lock it down.

One of the biggest hurdles for journalists who want to have a private conversation with a source is that the channel for communication is often driven by sources. You want sources to feel comfortable, so naturally you accommodate. But this is a good example of why it's also important to nudge sources to use more secure communication channels and to establish this norm up front.

So how do you convince people to use a more secure channel? Sources don't always find an argument for security compelling, and it might even intimidate potential sources. But people care about connecting with you. You may have more luck simply saying, "This is the easiest way to reach me."

It’s easy for someone to reach out over text message or phone call, potentially even from their place of work, introducing them to needless risk. You want sources to have exposure to secure tip channels before they reach out. Put your secure contact information in your social media bio and professional website, and advertise it widely. Make it easy for someone to find so they're less likely to reach out over a channel that will leave a trail of unwanted breadcrumbs.

If you have a confidential tip page or a website with your contact information, learn how to advise people to reach out in the safest way possible.

If you need assistance getting set up with secure communication tools or want to talk through how to minimize risk when working with sources, our digital security training team can help. Reach out here.