Is T-Mobile's AI training model the reason it keeps getting hacked?

A new lawsuit against T-Mobile's board of directors contains some surprising – and timely – accusations against the 5G provider: that it pooled its customers' data into one big database that it is using to train its AI services, and that this is the reason the US company has suffered through a series of devastating hacks into its systems.

"In order to train the sophisticated AI and machine learning models T-Mobile needed ... T-Mobile pooled all its data, pooled credentials, and prioritized (and still prioritizes) model training and accessibility over data security," according to the lawsuit, which was filed by a T-Mobile investor.

"Because T-Mobile centrally maintains credentials and configurations for its databases, then allows software programs to query and combine their disparate data, T-Mobile essentially maintains a single consolidated pool of data," the lawsuit states. "This single-point of access data centralization is incredibly dangerous – and a serious departure from well-accepted baseline data security and enterprise data storage practices."

T-Mobile and its parent company Deutsche Telekom (DT) have soundly rejected the allegations in the lawsuit.

T-Mobile responds

The lawsuit "is based solely on speculation (piled on speculation), not well-pleaded facts," according to T-Mobile's response to the plaintiff's initial claims. The response was filed in Delaware Court of Chancery.

"Plaintiff points to no T-Mobile board minutes discussing any directive or any documents (either internal or external) at all that mention such a directive," T-Mobile's response continues. "Plaintiff's opposition ignores that fatal flaw and instead asks the court to infer such a directive based on nothing more than (1) two YouTube videos, (2) an irrelevant PowerPoint slide from a DT supervisory board meeting, and (3) the fact that T-Mobile announced a merger with Sprint in 2018. None of those comes close to supporting such an inference."

The Delaware Court of Chancery is often the forum for disputes involving the internal affairs of corporations. The lawsuit against members of T-Mobile's board was first filed by T-Mobile investor Jenna Harper in late 2022. Lawyers in the case earlier this month presented their arguments before Vice Chancellor Sam Glasscock III, who reportedly seemed skeptical of some of the lawsuit's claims.

It's unclear what might happen next in the case, which is being viewed by some as an important look into the sometimes murky rules around AI development, security and data management. Leading AI companies including ChatGPT have argued that AI services are only as good as the data they're trained on – the more data, the better. And in the wireless industry, network operators command vast amounts of data about their operations and their customers.

Teaching the AI

According to Harper's lawsuit, T-Mobile's AI efforts stem from a program started in 2014 in DT's T-Labs research division. "DT's plan – unprecedented in the staid telecommunications space – was to roll out a unified, incredibly audacious data-mining and AI-training architecture," according to the lawsuit.

The suit notes that the effort initially fell under DT's "big data" efforts. Big data is a term that has been used to describe using high-performance computing services – including those running in the cloud – to comb through mountains of data to glean business insights. Today, however, big data has been mostly subsumed by the AI craze because artificial intelligence is used to find correlations inside those data warehouses.

According to Harper's complaint, DT sought a leg up over competitors by unifying its "data lake" across business units and country borders. "Deutsche Telekom has launched an overarching AI program, eLIZA, for the purpose of linking all AI solutions within the Deutsche Telekom Group," the lawsuit states. Doing so will "commingle and share everything learned from that data, including ML/AI models, for the benefit of DT as a whole," it adds.

The AI program stretched into T-Mobile following its acquisition of Sprint, which closed in 2020, according to the suit. DT has been increasing its ownership stake in T-Mobile since that merger.

However, T-Mobile sought to cut corners in its efforts to participate in DT's AI program, according to the lawsuit.

The 'qAPI' hole

"For example, although most enterprises used sophisticated and robust programming languages, such as Python, to develop machine-learning applications, T-Mobile's team used the programming language R – a language used for statistical modeling," according to the lawsuit. "While R could help T-Mobile's data scientists rapidly prove that their ML models had predictive capacity, the language was poorly suited to security, data management and data infrastructure, as it lacked many of the software libraries available in other programming languages, like Python."

The complaint also states that T-Mobile created an application programming interface (API) that could interact with multiple databases of information. But the company didn't implement a secure method for accessing that API, dubbed qAPI.

"Critically, qAPI allowed 'credential' centralization," according to the lawsuit. "That meant that individual usernames and passwords or other database access keys would not have to be maintained by each app. They would be held by the API, which in turn would enforce access from querying apps. This meant that the credentials for every database would be centrally maintained – creating a single point of failure for T-Mobile's security."

The complaint continues: "As a result, a single compromised test server anywhere in the entire T-Mobile ecosystem can easily and durably access, save and export the entirety of T-Mobile's data ecosystem – because T-Mobile designed its system that way."

The hacks

Harper's lawsuit then highlights the multiple breaches into T-Mobile's security systems that happened shortly after the company closed its merger with Sprint. The most serious occurred in August 2021, when John Binns discovered "an unprotected [T-Mobile] router exposed on the Internet." The 21-year-old told his story to The Wall Street Journal.

"In short, Binns found a single unsecured router publicly exposed on T-Mobile's network, and was quickly able to gain access to a centralized repository of credentials that allowed him the keys to T-Mobile's entire data kingdom, including more than 100 servers," the lawsuit states. "This matches the precise architecture of the qAPI system."

The lawsuit also alleges that T-Mobile hasn't fixed its data architecture, and is maintaining its systems in order to continue participating in DT's wide-ranging AI training efforts.

But that argument doesn't fly, according to DT and T-Mobile.

"Plaintiff's central thesis – that T-Mobile's board disloyally allowed DT to 'loot' T-Mobile's data, for DT's own benefit, thus exposing T-Mobile to cyberattacks – is based solely on speculation (piled on speculation), not well-pleaded facts," T-Mobile's response states. 

The context and the background

Big data, and now AI, remain hot topics in the wireless industry and in the wider tech marketplace. For example, AT&T has detailed its own efforts to unify its data assets to improve business strategies.

"AT&T carries more than 534.7 petabytes of data across its global network every day," explains AT&T's Andy Markus, chief data officer, in a 2022 post to the company's website. "To manage data at this scale, the CDO [Chief Data Office] team has defined a common approach to how data is stored, managed, accessed and shared across AT&T."

By applying AI technologies to all that data, AT&T says it has been able to block robocalls, predict outages and develop virtual assistants for customer care services, among other services. Other carriers have boasted of similar efforts.

AI is also becoming a key technological consideration among telecom vendors. Giants like Ericsson and startups like Aira Technologies are promising dramatic improvements in performance and operations thanks to AI. But the gains are contingent on the vendors' ability to sift through mountains of networking data.

As a result, such data is growing in value. For example, companies like The New York Times are moving to prevent generative AI companies from using their data to train AI agents. In response, ChatGPT has proposed ways for content owners to license their data for AI training programs.

Indeed, AI technology continues to create sticky legal questions. For example, the US Patent and Trademark Office now has guidelines on how to award patents that are generated through AI platforms.

Finally, cybersecurity remains a top concern among regulators and others. For example, the FCC recently moved forward with rules that would require mobile network operators to notify customers when their data is illegally accessed.