Play Ransomware Targets US Telecom Sector with Back-to-Back Breaches
Play ransomware has added Hightower Communications, a US telecommunications provider, to its dark web leak site, marking the second attack on the sector in just ten days. The group previously listed Legend Networking and Telecom on May 25, signaling a deliberate focus on US telecom infrastructure rather than opportunistic attacks.
The breach exposes highly sensitive data, including subscriber identity records, call detail records (CDRs), SMS metadata, billing records, and network routing configurations. CDRs detailing call timestamps, durations, and locations can reveal personal and professional networks, movement patterns, and behavioral routines. Additionally, E911 emergency services data and law enforcement intercept infrastructure governed by CALEA may be at risk, depending on Hightower’s network architecture.
As a telecommunications carrier, Hightower is subject to FCC breach notification rules and Customer Proprietary Network Information (CPNI) regulations, which impose stricter disclosure requirements than standard state data breach laws. The appearance on Play’s leak site triggers regulatory timelines, regardless of whether the full scope of the compromise is confirmed.
Play’s historical timeline suggests the initial breach likely occurred in late April or early May, with attackers maintaining access for weeks before public disclosure. The rapid succession of telecom targets Legend Networking on May 25 and Hightower in early June indicates either active sector targeting or simultaneous campaigns against multiple providers, heightening risks for the broader US telecom industry.
Hightower has not publicly confirmed the breach, and the exact data in Play’s possession remains unverified. However, the group’s track record of following through on leak site threats places the company under immediate legal, operational, and reputational pressure. Subscribers, particularly those with exposed CDRs or CPNI-protected data, face potential downstream risks while awaiting official disclosure.
Hightower Communications, Inc. cybersecurity rating report: https://www.rankiteo.com/company/hightowercommunicationssinc
Legend Network and Telecom cybersecurity rating report: https://www.rankiteo.com/company/legend-network-and-telecom
"id": "HIGLEG1780417591",
"linkid": "hightowercommunicationssinc, legend-network-and-telecom",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'US',
'name': 'Hightower Communications',
'type': 'Telecommunications Provider'},
{'industry': 'Telecommunications',
'location': 'US',
'name': 'Legend Networking and Telecom',
'type': 'Telecommunications Provider'}],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes (CDRs, subscriber '
'identity records)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Subscriber identity records',
'Call detail records (CDRs)',
'SMS metadata',
'Billing records',
'Network routing configurations',
'E911 emergency services data',
'Law enforcement intercept '
'infrastructure']},
'date_publicly_disclosed': '2024-06-early',
'description': 'Play ransomware has added Hightower Communications, a US '
'telecommunications provider, to its dark web leak site, '
'marking the second attack on the sector in just ten days. The '
'group previously listed Legend Networking and Telecom on May '
'25, signaling a deliberate focus on US telecom '
'infrastructure. The breach exposes highly sensitive data, '
'including subscriber identity records, call detail records '
'(CDRs), SMS metadata, billing records, and network routing '
'configurations. CDRs detailing call timestamps, durations, '
'and locations can reveal personal and professional networks, '
'movement patterns, and behavioral routines. Additionally, '
'E911 emergency services data and law enforcement intercept '
'infrastructure governed by CALEA may be at risk. Hightower is '
'subject to FCC breach notification rules and CPNI '
'regulations, which impose stricter disclosure requirements. '
'Play’s historical timeline suggests the initial breach likely '
'occurred in late April or early May, with attackers '
'maintaining access for weeks before public disclosure.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Highly sensitive data, including subscriber '
'identity records, call detail records (CDRs), '
'SMS metadata, billing records, network '
'routing configurations, E911 emergency '
'services data, and law enforcement intercept '
'infrastructure',
'identity_theft_risk': 'High (CDRs, subscriber identity records)',
'legal_liabilities': 'High (FCC breach notification rules, CPNI '
'regulations)'},
'motivation': 'Deliberate sector targeting',
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Play'},
'references': [{'source': 'Dark web leak site'}],
'regulatory_compliance': {'regulations_violated': ['FCC breach notification '
'rules',
'Customer Proprietary '
'Network Information '
'(CPNI) regulations']},
'threat_actor': 'Play Ransomware',
'title': 'Play Ransomware Targets US Telecom Sector with Back-to-Back '
'Breaches',
'type': 'Ransomware'}