Play ransomware has posted Hightower Communications, a US telecommunications provider, to its dark web leak site alongside Digitall Graphics. The listing marks the second US telecommunications company claimed by the group within ten days, following the May 25 posting of Legend Networking and Telecom, and suggests deliberate sector-focused targeting rather than opportunistic compromise.
The Data at Stake in a Telecom Compromise
Telecommunications providers hold a data profile that is broader and more sensitive than most industries. For Hightower Communications, the categories at risk include subscriber identity records, call detail records, SMS metadata, billing records, and network routing configurations. Emergency services subscriber data — information tied to E911 systems — and potentially law enforcement intercept infrastructure governed by CALEA may also be within scope, depending on what Hightower’s network architecture encompasses.
Subscriber Records and Call Detail Data
Call detail records document who called whom, when, for how long, and from which location. Even without the content of calls, CDR data provides a detailed map of an individual’s social and professional contacts, movement patterns, and behavioral routines. At scale, across thousands of subscribers, CDR data represents an intelligence asset with applications ranging from targeted fraud to surveillance. SMS metadata carries a comparable profile. The exposure of this data class from a telecommunications provider is categorically different from a retail or healthcare breach.
CPNI Obligations and FCC Notification Requirements
Hightower Communications, as a telecommunications carrier, is subject to the FCC’s updated breach notification rules and Customer Proprietary Network Information regulations under the Communications Act. CPNI — the class of data covering a subscriber’s use of telecommunications services — carries disclosure obligations that operate in parallel with and in addition to standard state data breach notification laws. Depending on what data Play ransomware has obtained and what it publishes, Hightower faces a disclosure timeline and regulatory process that extends beyond the typical state attorney general notification framework.
Play’s Targeting Pattern in 2026
Play ransomware’s historical operational data indicates an average delay of approximately 33 days between initial compromise and the appearance of a victim on its leak site. Applied to the Hightower Communications listing, that timeline places the likely initial compromise in late April or early May — a period preceding the public posting by weeks. The organization would have been operating under attacker access during that window without the public visibility that a leak site posting creates.
Consecutive Telecom Listings and Sector Pressure
The back-to-back listing of Legend Networking and Telecom on May 25 and Hightower Communications in the current batch, within a ten-day span, fits a pattern of deliberate sector targeting. Play has documented history of targeting US communications infrastructure, and two US telecom victims in rapid succession suggests either active targeting of the sector or simultaneous campaigns against multiple providers. Either interpretation means the broader US telecommunications sector faces elevated exposure from this group in the current period.
Scope and Response Uncertainties
Hightower Communications has not publicly confirmed the breach, and the scope of data actually in Play’s possession has not been independently verified. Ransomware leak site postings reflect the attacker’s claims, not a confirmed forensic accounting of what was taken. What the listing establishes with certainty is that the group is asserting access and threatening publication — which initiates the regulatory clock and creates notification obligations regardless of whether the full extent of the compromise is yet known.
The combination of sensitive subscriber data, regulatory exposure under FCC rules, and Play’s track record of following through on leak site postings means Hightower Communications faces immediate legal, operational, and reputational pressures. Subscribers, particularly those whose data may include CDR records, CPNI-protected information, or E911 data, have limited options beyond monitoring for downstream fraud and waiting for official disclosure from the company.
