Lawsuit explains how T-Mobile is exposing customer data to hackers
Artificial Intelligence or AI is something nearly all big companies are using to get ahead of the competition but the way T-Mobile is going about it is proving to be harmful for its customers, says a lawsuit filed by T-Mobile investor Jenna Harper.
According to the lawsuit, which was filed in late 2022, T-Mobile puts its customer data and credentials in one big, unified database to train its AI and machine learning models, undermining data security. It argues that 'this single-point of access data centralization' is contrary to well-established data security and storage practices.
In order to train the sophisticated AI and machine learning models T-Mobile needed ... T-Mobile pooled all its data, pooled credentials, and prioritized (and still prioritizes) model training and accessibility over data security." - Lawsuit against T-Mobile
T-Mobile and its parent company Deutsche Telekom (DT) have denied the allegations in the lawsuit, saying that it's based on speculation instead of facts.
Plaintiff points to no T-Mobile board minutes discussing any directive or any documents (either internal or external) at all that mention such a directive. Plaintiff's opposition ignores that fatal flaw and instead asks the court to infer such a directive based on nothing more than (1) two YouTube videos, (2) an irrelevant PowerPoint slide from a DT supervisory board meeting, and (3) the fact that T-Mobile announced a merger with Sprint in 2018. None of those comes close to supporting such an inference." T-Mobile
As Light Reading notes, T-Mobile filed the response in the Delaware Court of Chancery, which is where disputes regarding the internal affairs of companies are often brought. Vice Chancellor Sam Glasscock III listened to arguments made by lawyers earlier this month.
This is not the first time a company has come under fire for using available data to train their systems and the existing regulations provide no clear guidance on what's acceptable and what's not. Any company using AI needs an enormous amount of data to train its AI models and improve its services and operations.
The main point of the lawsuit is T-Mobile's unified data-mining and AI-training architecture. Its foundation can be traced back to a program started by DT's T-Labs research division in 2014. It says that DT wanted to edge out rivals by unifying its data repository across business units and country borders.
The lawsuit goes on to say that DT's AI efforts stretched into T-Mobile after it acquired Sprint. Apparently, T-Mobile cut corners to remain a part of the AI program. T-Mobile has rubbished the allegations.
Plaintiff's central thesis – that T-Mobile's board disloyally allowed DT to 'loot' T-Mobile's data, for DT's own benefit, thus exposing T-Mobile to cyberattacks – is based solely on speculation (piled on speculation), not well-pleaded facts." T-Mobile
For instance, T-Mobile opted for the programming language R, which is normally used for statistical modeling and lacks fundamental security features, instead of a sophisticated language like Python to create machine-learning applications.
The lawsuit also says that T-Mobile developed an application programming interface (API) called qAPI with the ability to interact with various databases of information but failed to implement a secure method for accessing it. This created a single point of failure for security.
Critically, qAPI allowed 'credential' centralization. That meant that individual usernames and passwords or other database access keys would not have to be maintained by each app. They would be held by the API, which in turn would enforce access from querying apps. This meant that the credentials for every database would be centrally maintained – creating a single point of failure for T-Mobile's security. As a result, a single compromised test server anywhere in the entire T-Mobile ecosystem can easily and durably access, save and export the entirety of T-Mobile's data ecosystem – because T-Mobile designed its system that way" - Lawsuit against T-Mobile
To support the claims, the complaint points out that T-Mobile has been the victim of multiple hacks after its merger with Sprint, including one in August 2021 that happened due to a single publicly exposed router.
Things that are NOT allowed: