According to the lawsuit, which was filed in late 2022, T-Mobile puts its customer data and credentials in one big, unified database to train its AI and machine learning models, undermining data security. It argues that ‘this single-point of access data centralization’ is contrary to well-established data security and storage practices.
In order to train the sophisticated AI and machine learning models T-Mobile needed … T-Mobile pooled all its data, pooled credentials, and prioritized (and still prioritizes) model training and accessibility over data security.” – Lawsuit against T-Mobile
T-Mobile and its parent company Deutsche Telekom (DT) have denied the allegations in the lawsuit, saying that it’s based on speculation instead of facts.
Plaintiff points to no T-Mobile board minutes discussing any directive or any documents (either internal or external) at all that mention such a directive. Plaintiff’s opposition ignores that fatal flaw and instead asks the court to infer such a directive based on nothing more than (1) two YouTube videos, (2) an irrelevant PowerPoint slide from a DT supervisory board meeting, and (3) the fact that T-Mobile announced a merger with Sprint in 2018. None of those comes close to supporting such an inference.” T-Mobile
This is not the first time a company has come under fire for using available data to train their systems and the existing regulations provide no clear guidance on what’s acceptable and what’s not. Any company using AI needs an enormous amount of data to train its AI models and improve its services and operations.
The lawsuit goes on to say that DT’s AI efforts stretched into T-Mobile after it acquired Sprint. Apparently, T-Mobile cut corners to remain a part of the AI program. T-Mobile has rubbished the allegations.
Plaintiff’s central thesis – that T-Mobile’s board disloyally allowed DT to ‘loot’ T-Mobile’s data, for DT’s own benefit, thus exposing T-Mobile to cyberattacks – is based solely on speculation (piled on speculation), not well-pleaded facts.” T-Mobile
For instance, T-Mobile opted for the programming language R, which is normally used for statistical modeling and lacks fundamental security features, instead of a sophisticated language like Python to create machine-learning applications.
The lawsuit also says that T-Mobile developed an application programming interface (API) called qAPI with the ability to interact with various databases of information but failed to implement a secure method for accessing it. This created a single point of failure for security.
Critically, qAPI allowed ‘credential’ centralization. That meant that individual usernames and passwords or other database access keys would not have to be maintained by each app. They would be held by the API, which in turn would enforce access from querying apps. This meant that the credentials for every database would be centrally maintained – creating a single point of failure for T-Mobile’s security. As a result, a single compromised test server anywhere in the entire T-Mobile ecosystem can easily and durably access, save and export the entirety of T-Mobile’s data ecosystem – because T-Mobile designed its system that way” – Lawsuit against T-Mobile
#Lawsuit #explains #TMobile #exposing #customer #data #hackers
