AT&T Breached (Again) | How legitimate are 'legitimate interests'? to scrape FB & Insta data
CyberInsights #148 - What does it mean for AT&T customers? | Meta's usage of Facebook and Instagram data to train its AI model now raises concerns in the UK as well.
AT&T’s workspace on a third party cloud platform supposedly breached
Is it a supply chain vulnerability or is it a classic case of ‘Security of the cloud’ vs. ‘Security in the cloud’?
AT&T has reported a data breach. What was breached?
Records of calls
Records of texts
Telephone numbers of AT&T customers
Telephone numbers of AT&T MVNO user telephone numbers (MVNO: Mobile Virtual Network Operator - A company that sells its own cellular service, but uses AT&T infrastructure. Look at the Annex for a list of MVNOs using AT&T Infra)
Telephone numbers of other telcos (the calls that landed on the AT&T network at that time)
Interactions (meaning, which number called which number and how many times)
Aggregate call duration for the day or month
In some cases, the cell site identification number (a way to know the approximate location of a number)
What was not breached?
Content of calls
Content of texts
No PII, except for the phone number
AT&T clearly says that while names of subscribers were not breached, there are easy online methods to find a name, given a telephone number. The website osintframework.com gives these many methods to extract information from phone numbers:
AT&T also suffered a major breach a few months ago, which included social security numbers of nearly 73 million customers. AT&T says the two incidents are not related to each other. The earlier incident was related to the Snowflake data breach.
The US DOJ asked AT&T to delay reporting to investigate national security concerns:
Read the linked article on CNN to know more about what national security concerns could be present. [LINK]
Take Action:
There are two key takeaways for cybersecurity professionals here:
Remember, it’s not the cloud. It’s just someone else’s computer. Take all the necessary cloud security precautions. Get certified on cloud security. It helps.
Whenever there are two separate operating environments - like in this case a cellular network and a regular IP network, or an OT network and a regular IP network - there are chances of responsibilities being missed. Clearly identify and list down responsibilities for the security of different networks.
Annex: Which MVNOs use AT&T Infrastructure?
Asking a web scraping AI, this is what it said:
Cricket Wireless - This is one of the largest and most well-known AT&T MVNOs, owned by AT&T itself.
Consumer Cellular - This MVNO uses both AT&T and T-Mobile networks, and is particularly popular among seniors.
FreedomPop - Utilizes both AT&T and T-Mobile networks.
FreeUP Mobile - Exclusively uses AT&T's network.
Good2Go Mobile - Operates solely on AT&T's network.
H2O Wireless - Another AT&T-only MVNO.
PureTalk - Exclusively uses AT&T's network.
Red Pocket - Uses multiple networks including AT&T, T-Mobile, and Verizon.
Straight Talk - Operates on multiple networks including AT&T, T-Mobile, and Verizon.
TracFone - Like Straight Talk, it uses multiple networks including AT&T.
Boost Infinite - Recently added to the list of AT&T MVNOs.
Black Wireless - Offers service on AT&T's network.
Meta and the scraping of user data to train its AI models
Training your AI model to work better than the competitor is business interest. Is it ‘legitimate interest’?
Legitimate interest is one of the six lawful bases for processing personal data under the GDPR.
It allows organizations to process data without consent if they have a legitimate reason that doesn't override individuals' rights and freedoms. For example, ‘Direct Marketing’ is also a form of legitimate interest.
However, organisations must be transparent about their use of legitimate interest and allow individuals to object to processing based on this ground.
After a protest in the EU about privacy, Meta decided to stop training its AI model based on scraping of Facebook and Instagram data of its EU users. However, it continues to the same in the rest of the world, including the UK.
UK privacy groups have protested this. [LINK]
As for the rest of the world, we are blissfully uninterested.
Take Action:
Have I said this before? Stop using Facebook and Instagram. And while you are at it, stop using WhatsApp too.
If you find that too hard, ensure that you do not put anything on these platforms that you do not want to find in a reply in ChatGPT or Gemini Pro.
Now that you know Meta uses your posts to train its AI, what are you planning to do? Answer this poll.
Great post. On the Meta scraping user data piece, I am utterly not shocked. I've commented on a few notes in here saying that although none of the big tech companies are run on love and altruism, Meta always strike me as by far the worst of the worst. I stopped using all of Meta's tools years ago for the same reasons as you outline and more.