Charter Communications (Spectrum) Breach: ShinyHunters, 13 Million Records, and What ISPs Owe Regulators

Charter Communications discovered on May 25, 2026 that the ShinyHunters extortion group had been inside its Salesforce CRM environment since approximately April 1 — a roughly two-month intrusion that began with a voice phishing attack against a Charter employee’s Microsoft Entra credentials. The breach exposed at least 13 million customer records, according to Charter’s own confirmation. ShinyHunters claimed a substantially larger figure: 40 to 42 million records. Another 27,000 employee records were also compromised.

The data categories Charter confirmed as exposed — names, work emails, home addresses, phone numbers, and employee records — are sensitive but deliberately framed. Charter’s public statement included a specific denial: the company stated that no customer proprietary network information and no sensitive personal information had been stolen. That denial was not incidental. For a telecommunications company subject to Federal Communications Commission rules on CPNI, it was the single most legally consequential sentence Charter’s communications team could produce. Understanding why requires unpacking a regulatory framework that most people outside the telecom industry have never encountered.

This breach also extends a documented pattern. Charter is the third major enterprise confirmed compromised in May 2026 via the same combination of attack vectors: ShinyHunters, vishing, and Salesforce CRM access. Cushman & Wakefield and 7-Eleven were both confirmed victims weeks before Charter’s announcement. The repetition of the same attack chain across three large organizations within a single month is not coincidence — it reflects an attacker that has industrialized a technique and found it consistently profitable.

What Happened

The Vishing Entry Point

Charter’s Entra credentials were compromised through a vishing attack — a voice phishing call in which a threat actor impersonated a trusted party, likely IT support or a vendor, and manipulated a Charter employee into disclosing credentials or approving an authentication prompt. Microsoft Entra (formerly Azure Active Directory) is the identity platform underpinning Microsoft 365 and a wide range of enterprise cloud applications. When an attacker obtains valid Entra credentials, they inherit the authenticated session of the employee whose credentials were stolen — including access to any cloud applications integrated with the identity provider.

Vishing defeats technical controls because it operates outside the monitoring perimeter. No endpoint detection tool, email filtering system, or network anomaly sensor has visibility into a phone call. The attack surface is the employee. Vishing has become a preferred initial access technique among ransomware and extortion groups precisely because its effectiveness is limited only by the attacker’s ability to sound credible — and sophisticated threat actors have invested heavily in making their calls credible.

The intrusion began on approximately April 1, 2026. Charter discovered it on May 25. That is a dwell time of roughly seven weeks — not unusual for a sophisticated attacker who is focused on data exfiltration rather than destructive ransomware deployment. An exfiltration-focused attacker has every incentive to remain quiet, avoid triggering anomaly detection, and harvest data methodically before issuing a demand.

The Salesforce Environment

Once inside Charter’s identity environment, ShinyHunters pivoted to the company’s Salesforce CRM deployment. CRM systems are high-value targets because they are purpose-built to aggregate customer data. Charter’s Salesforce environment, as a telecommunications company, would contain the customer records that feed sales, billing, support, and retention workflows: names, addresses, phone numbers, account identifiers, and service history. It may also contain internal employee records if Salesforce was used for workforce management functions — which would explain the 27,000 employee records confirmed as compromised.

Charter confirmed 13 million customer records were exposed. ShinyHunters claimed 40 to 42 million. The gap between these figures is significant. Charter’s 13 million figure likely reflects records whose exposure Charter can confirm through forensic analysis of the attacker’s access logs. ShinyHunters’ claimed 40 to 42 million may reflect total records the attacker queried or downloaded, which may include duplicate records, historical records, or records from integrated systems. Neither figure is necessarily more authoritative at this stage of the investigation. Charter’s customer base across its Spectrum brand numbers approximately 32 million, which provides a ceiling against which ShinyHunters’ claim can be calibrated.

Class Action Investigations

Within days of the breach announcement, class action law firms had opened investigations. This is standard market behavior following any large-scale consumer data breach: plaintiffs’ firms monitor breach disclosures, contact potential plaintiffs, and file within weeks. Charter faces the same trajectory that has played out in nearly every major consumer breach of the past decade — confirmed exposure, regulatory scrutiny, and civil litigation running in parallel, each proceeding on its own timeline but drawing from the same underlying facts.

The ISP Regulatory Framework

Telecommunications companies operate under a regulatory architecture that is meaningfully different from the framework governing most other industries. An ISP facing a data breach does not simply navigate state breach notification laws and potential FTC scrutiny. It faces a layered set of federal obligations that exist specifically because Congress and the FCC have determined that ISPs occupy a position of unique trust relative to their customers.

That position of trust is not abstract. An ISP is not merely a vendor whose customer list was compromised. It is the infrastructure through which a customer’s internet communications pass. It knows what sites the customer visits, when they are active online, what devices are on their network, and — in some configurations — much more. The regulatory framework for ISPs reflects this elevated sensitivity. It demands that ISPs treat certain categories of customer data with heightened protection and face consequences for mishandling them.

CPNI and the FCC: Why Charter’s Denial Matters

What CPNI Is

Customer proprietary network information is defined by statute under the Communications Act, 47 U.S.C. § 222. CPNI is information that a telecommunications carrier acquires in the course of providing service about its customers: the quantity, technical configuration, type, destination, location, and amount of their use of telecommunications services, as well as information contained in their bills. In simpler terms: call records, data usage records, routing information, and billing detail that an ISP generates as a byproduct of providing service.

CPNI is categorically distinct from the contact and demographic information that was confirmed compromised in the Charter breach. Names, addresses, phone numbers, and email addresses are PII, but they are not CPNI. CPNI is the usage data — the records of what Charter’s network infrastructure generated by watching traffic flow.

The FCC’s CPNI rules under 47 C.F.R. Part 64 impose specific obligations on carriers:

Carriers must implement reasonable measures to protect CPNI from unauthorized disclosure or access.
When CPNI is breached, carriers must notify the FBI and the Secret Service within seven business hours. (This obligation predates most state breach notification laws and remains carrier-specific.)
Carriers must notify affected customers of a CPNI breach and provide them with information about the breach and its potential consequences.
Carriers must maintain a CPNI compliance program and appoint a designated officer responsible for CPNI protection.

The FCC has enforcement authority over CPNI violations and has levied substantial fines. In 2022, the FCC proposed $200 million in combined fines against the four major wireless carriers for sharing customers’ real-time location data with data aggregators without consent. The fines against AT&T ($57 million), T-Mobile ($80 million), Verizon ($46 million), and Sprint ($12 million) were among the largest CPNI enforcement actions in the FCC’s history.

Why Charter’s Specific Denial Was Strategic

When Charter stated publicly that no CPNI had been stolen, it was not making a factual observation for the benefit of affected customers. It was placing Charter in a specific regulatory category with respect to FCC enforcement obligations.

If CPNI were confirmed compromised, Charter would face mandatory notification obligations to the FBI and Secret Service within seven hours of confirmation, followed by customer notification obligations under FCC rules. It would also face exposure to FCC enforcement proceedings with potential fines calibrated to the scale of the CPNI exposure. The FCC’s recent enforcement posture — including the 2022 location data fines — signals willingness to pursue carriers for CPNI failures.

By confirming that the breach involved names, addresses, and phone numbers but not CPNI, Charter cleanly separates the breach from the most prescriptive tier of its telecom-specific regulatory obligations. The breach is still a serious compliance event — the remaining state notification obligations and FTC exposure are substantial — but the CPNI denial effectively removes the FCC’s most direct enforcement hook.

That does not mean the FCC will be entirely uninvolved. The FCC has been considering expanded data security rules for carriers under its authority over telecom providers, and a breach of this scale affecting 13 million customers will draw attention. But the difference between “breach involving CPNI” and “breach not involving CPNI” is the difference between mandatory specific notification obligations and discretionary enforcement scrutiny.

The Limits of Charter’s Denial

Charter’s statement that no “sensitive personal information” was stolen warrants scrutiny even if the CPNI denial holds. Names, home addresses, and phone numbers for 13 million consumers are not trivial. They are the inputs to targeted social engineering attacks, the information required for account takeover attempts, and the data categories that enable fraud schemes targeting the elderly and other vulnerable populations.

Whether these categories qualify as “sensitive” in Charter’s regulatory framing depends on jurisdiction. Under several state privacy laws, combinations of contact data with account information trigger heightened protection requirements. Under FTC precedent, a company’s public characterization of compromised data as non-sensitive has sometimes become the basis for subsequent enforcement action when affected individuals suffered harm that the company’s framing obscured.

SEC Form 8-K: The Materiality Question

Item 1.05 Requires Fast Decisions Under Uncertainty

The SEC’s cybersecurity disclosure rules, effective December 2023, require public companies to disclose material cybersecurity incidents on Form 8-K under Item 1.05 within four business days of determining that a cybersecurity incident is material. Charter Communications (CHTR) is publicly traded on NASDAQ, which means these rules apply.

The four-business-day clock does not start at the date of the breach. It starts at the date the company determines the incident is material. This distinction was intentional — Congress and the SEC recognized that companies need time to investigate before they can make a materiality determination — but it creates pressure to investigate rapidly and make a defensible determination promptly, because any delay in that determination will be scrutinized.

What “Material” Means in This Context

Materiality under SEC doctrine asks whether a reasonable investor would consider the information significant in making an investment decision. For a cybersecurity incident, the materiality analysis encompasses: the scope of the breach, the categories of data involved, the potential regulatory and litigation exposure, the operational impact, and the cost of remediation and notification.

A breach affecting 13 million customer records at a public telecommunications company with 32 million subscribers — a breach confirmed by the company and attributed to a months-long intrusion into its core CRM system — presents a plausible materiality argument. The factors that would weigh toward a materiality finding include the scale relative to Charter’s total customer base (roughly 40 percent), the confirmed dwell time of seven weeks, the regulatory exposure across multiple agencies, and the class action investigations already underway.

Charter’s public disclosure of the breach on May 25, 2026 itself functions as evidence that the company concluded the breach was sufficiently significant to disclose. Whether it files a Form 8-K under Item 1.05 — or makes a determination that the breach, while significant, is not material under the SEC’s definition — will be a closely watched compliance decision. Failure to file when a breach is later found to have been material is an SEC enforcement risk. Filing when a breach is not material invites scrutiny of the determination process.

The SolarWinds Precedent

The SEC’s 2023 enforcement action against SolarWinds and its CISO established that the agency is willing to pursue not just companies but individual executives for cybersecurity disclosure failures. Although a court subsequently dismissed significant portions of that action, it demonstrated that the SEC’s approach to cybersecurity enforcement is not confined to institutional penalties. ISPs and their executives managing disclosure decisions around breaches of this scale are making decisions with personal professional and legal consequences, not just corporate compliance decisions.

Fifty-State Notification: The ISP’s Compulsory Marathon

All Fifty States, Simultaneously

Unlike a company that operates in one region or a handful of states, Charter Communications serves customers in 41 states under the Spectrum brand. A breach of Charter’s national customer database triggers breach notification obligations in every state where an affected customer resides — which, for a breach affecting 13 million records drawn from a nationwide ISP’s CRM, functionally means all or nearly all of the states in which Charter operates.

All 50 states have breach notification laws. The patchwork is genuinely complex:

Notification timelines vary significantly. Some states require notification within 72 hours of determining a breach has occurred (an obligation that tracks GDPR’s timeline and that is approaching consensus among newer state laws). Others allow 30 days, 45 days, or 60 days. Maryland requires notification without unreasonable delay. Florida requires 30 days. California requires notification in the most expedient time possible without unreasonable delay, with no specific deadline. Colorado and Virginia require 60 days. New York requires 30 days. These overlapping timelines mean Charter must identify the binding obligation across dozens of jurisdictions and manage notification to meet the shortest applicable deadline for each affected population.

Triggering data categories vary. Most states define a breach trigger that requires unauthorized access to specific data categories — typically combinations of name with Social Security number, financial account information, or government ID. Names and addresses alone may not trigger notification in all states. However, many states have expanded their definitions to include broader PII categories, and the confirmed categories of Charter’s breach — names, home addresses, phone numbers, and email addresses — likely trigger notification requirements in a substantial majority of the states where Charter operates.

Content requirements vary. States differ on what a notification must contain: some require specific disclosures of the attack vector, others require the precise dates of the breach and discovery, some require toll-free numbers for affected individuals, and several require specific language about credit monitoring availability or credit freeze rights. A legally compliant notification to affected customers in California may not satisfy the requirements for New York, and vice versa.

Regulator notification obligations add another layer. Several states require notification to the state attorney general contemporaneously with, or shortly after, customer notification. Illinois, New York, and California have their own notification requirements to state regulators. Managing these parallel tracks — customer notification and regulator notification, across dozens of jurisdictions, on varying timelines — is a significant legal operations undertaking.

For Charter, with a legal and compliance team accustomed to managing multi-state telecommunications regulation, this is not a novel challenge. But the combination of scale (13 million records), jurisdictional breadth (41 states served), and compressed timelines (triggered by the May 25 discovery date) means the notification workload is substantial regardless of institutional preparedness.

FTC Section 5 and ISP-Specific Exposure

Why ISPs Face Elevated FTC Scrutiny

The Federal Trade Commission has broad authority under Section 5 of the FTC Act to act against unfair or deceptive practices affecting commerce. That authority applies to ISPs. An ISP that represents, through public statements or privacy policies, that it implements reasonable security measures, and is then breached through a failure that reasonable security would have prevented, may face an FTC action premised on the gap between what was represented and what was implemented.

The FTC’s interest in ISP data security predates this breach. In 2023, the FTC studied how major ISPs collect, use, and share customer data — and found practices the agency characterized as creating significant privacy risks. The FTC has made clear through guidance and enforcement actions that ISPs, as infrastructure providers with particularly broad visibility into customer behavior, have elevated obligations to protect the data they collect.

The Reasonable Security Standard

Under FTC doctrine, the standard is not perfect security — it is security commensurate with the sensitivity of the data held and the likelihood of harm. Courts and the FTC itself have articulated factors that distinguish reasonable from unreasonable security: whether the company used multi-factor authentication on systems containing consumer data, whether it maintained access controls limiting who could reach sensitive data, whether it monitored for anomalous access patterns, and whether it trained employees on social engineering threats.

Vishing as an initial access vector is particularly significant in FTC analysis. If an attacker gained access to Charter’s Salesforce environment through a single employee’s compromised credentials, the FTC will ask whether Charter implemented controls that would have limited the blast radius of a single credential compromise. MFA resistant to phishing (hardware keys, passkeys), conditional access policies that flag authentication from unexpected locations, and privileged access management controls that limit what any single set of credentials can reach — these are controls that the FTC has treated as baseline expectations for organizations holding large volumes of consumer data.

The seven-week dwell time will also draw scrutiny. A threat actor spending two months inside a CRM environment without triggering detection alerts suggests that either detection coverage was inadequate, alert thresholds were set too permissively, or alerts were generated but not acted upon. Any of these failures maps to a potential FTC unfair practices finding.

The ShinyHunters-Salesforce Pattern

Three Major Breaches, One Attack Chain, One Month

The Charter breach is the third confirmed major breach in May 2026 attributed to ShinyHunters using a vishing attack to access a Salesforce CRM environment. Cushman & Wakefield, one of the world’s largest commercial real estate firms, disclosed in early May 2026 that a vishing attack had given ShinyHunters access to more than 500,000 Salesforce records. 7-Eleven disclosed a similar breach in the same period. Charter is the largest confirmed victim yet, by record count.

Three breaches via the same technique against the same platform type in a single month is a signal. It suggests that ShinyHunters has either developed or acquired a repeatable playbook — a vishing script effective enough against Salesforce-using organizations to be deployed at scale, combined with post-access techniques adapted specifically to Salesforce environments. The attacker knows what Salesforce data stores look like, knows how to query them efficiently, and knows how to exfiltrate data without triggering Salesforce’s native anomaly detection.

What the Salesforce Angle Means for Governance

Salesforce is not a security failure in the sense that the platform itself is compromised. The Salesforce platform, properly configured, provides extensive access controls, audit logging, and security features. The breach vector in the Charter case is not a Salesforce vulnerability — it is valid credentials obtained through vishing, which gave the attacker a legitimate authenticated session that Salesforce’s access controls are not designed to block.

This distinction matters for governance purposes. The question is not whether to trust Salesforce. The question is whether the controls layered around Salesforce — authentication policies, access scoping, behavioral monitoring, anomaly alerting — are calibrated to detect and limit the damage of a credential compromise.

For Salesforce deployments at scale, the controls that would have limited Charter’s exposure include:

Identity security hardening. MFA policies for Entra that require phishing-resistant authenticators — hardware keys or device-bound passkeys — rather than push notifications that an employee can approve in response to a vishing caller’s instruction. A push notification MFA factor can be defeated by vishing. A hardware key cannot be.

Salesforce access scoping. User profiles and permission sets should limit what any authenticated user can query, export, or access. A Salesforce user whose role is customer support should not have the permissions of a system administrator. The principle of least privilege is not a theoretical aspiration — it is the control that limits the blast radius of a compromised credential.

Salesforce Event Monitoring and Shield. Salesforce’s Event Monitoring and Salesforce Shield products provide detailed audit logs of user activity within the platform: what data was queried, what records were exported, what API calls were made. If Charter had Event Monitoring enabled and tuned to alert on anomalous bulk data access, a seven-week dwell time becomes much harder to sustain undetected. Whether these controls were in place and tuned appropriately will be a central question in any regulatory inquiry.

Behavioral analytics on authentication. Microsoft Entra’s Conditional Access policies can flag authentication events from unusual locations, unusual devices, or unusual times. An employee whose credentials were used to authenticate from an unexpected geography or at an atypical hour should trigger a step-up authentication challenge or an automatic session block. These policies are available within the standard Microsoft 365 compliance tooling. Whether they were enabled and configured meaningfully at Charter is an open question.

Implications for Salesforce Customers Broadly

The ShinyHunters-Salesforce pattern has implications beyond Charter, Cushman & Wakefield, and 7-Eleven. Salesforce is one of the most widely deployed enterprise CRM platforms in the world. The playbook ShinyHunters has demonstrated — vishing to credential compromise, credential compromise to Salesforce access, Salesforce access to bulk data exfiltration — is not technically sophisticated. It does not require a zero-day exploit or a supply chain attack. It requires a phone call and a Salesforce user with insufficiently scoped permissions.

Organizations using Salesforce should treat the May 2026 breach wave as a direct signal. The attacker is not moving on. Salesforce CRM data — dense with customer PII, commercial intelligence, and potentially sensitive operational data — will remain a priority target. The defensive posture required is not exotic: it is phishing-resistant MFA, least-privilege access configuration, behavioral monitoring, and security awareness training specific to vishing scenarios.

Compliance Checklist for Telecommunications Companies and ISPs

Organizations operating in the telecommunications sector facing a breach of this type should address the following:

FCC CPNI obligations:

Determine within 24-48 hours whether CPNI categories were accessed, as this determination triggers a separate, accelerated notification obligation to the FBI and Secret Service (seven business hours from confirmation).
Preserve CPNI breach determination documentation, as regulatory inquiries will focus on the methodology and timeline of this determination.
Review CPNI compliance program adequacy, including designated officer appointment and written policies, as breach events typically prompt regulatory review of the underlying compliance program.

SEC Form 8-K (Item 1.05):

Initiate materiality analysis immediately upon breach confirmation; the four-business-day clock begins at determination of materiality, not at discovery.
Document the materiality determination process, including the factors considered and the legal and business judgment applied; this documentation is the defense against a subsequent SEC inquiry into whether disclosure was timely.
If a determination of non-materiality is made, document that determination with equal rigor.

Multi-state breach notification:

Map affected customer records to state of residence to identify the applicable notification obligation in each jurisdiction.
Identify the binding notification deadline across all applicable states; the shortest deadline governs the operational timeline.
Prepare jurisdiction-specific notification letters that satisfy each state’s content requirements.
Track state regulator notification obligations separately from customer notification obligations and manage both tracks simultaneously.

FTC Section 5 exposure:

Conduct a post-breach assessment of the security controls that were in place at the time of the breach, with specific attention to authentication controls, access scoping on the Salesforce environment, and detection and response capabilities.
Preserve all documentation of security policies, training programs, and vendor contracts relevant to the breached environment.
Assess representations made in privacy policies and public communications about data security practices against the actual controls in place.

Salesforce environment remediation:

Rotate all credentials that had access to the Salesforce environment.
Review and tighten permission sets and profiles for all Salesforce users, applying least-privilege principles.
Enable Salesforce Event Monitoring and review historical activity logs for the full intrusion period.
Review Salesforce Connected App configurations and API access grants for unauthorized or unusual integrations.
Implement or strengthen behavioral alerting for bulk data access, unusual query patterns, and data export events.

Identity and authentication hardening:

Audit Microsoft Entra MFA policies for all user accounts, with priority on accounts with access to sensitive systems including CRM environments.
Migrate from push notification MFA (susceptible to vishing) to phishing-resistant factors (FIDO2 hardware keys or device-bound passkeys) for accounts with access to high-value data environments.
Review and tighten Conditional Access policies in Entra, including sign-in risk policies, location-based controls, and device compliance requirements.

Conclusion

Charter Communications’ breach confirms that ShinyHunters has a repeatable, scalable attack pattern — vishing to credential compromise, credential compromise to Salesforce access, Salesforce access to mass data exfiltration — and is deploying it against large enterprises with sufficient frequency to constitute a campaign rather than a series of isolated incidents. Charter is not a uniquely negligent target. It is the third major organization confirmed victimized by the same attacker using the same technique in a single month.

The regulatory consequences for Charter are layered in ways that distinguish ISP breaches from those affecting most other sectors. The FCC’s CPNI framework, the SEC’s materiality disclosure clock, a 50-state notification patchwork, and FTC Section 5 exposure all run simultaneously. Charter’s CPNI denial was the most strategically important statement in its public disclosure, because it determines whether the most prescriptive tier of federal telecom regulation applies. If that denial holds under forensic scrutiny, Charter’s regulatory exposure remains substantial but shifts toward the multi-state notification framework and FTC oversight rather than FCC enforcement.

For every organization that uses Salesforce — and for every ISP that holds dense concentrations of consumer data — the Charter breach is an instruction: phishing-resistant authentication, least-privilege access, and behavioral monitoring are not aspirational controls. They are the baseline that regulators and plaintiffs’ attorneys will measure your program against when the breach happens.

This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel regarding their specific compliance obligations.