What the Mixpanel case teaches us and why it is all a matter of structural fragility of the network made up of subcontractors, clouds and interconnected services by Andrea Monti – originally published in La Repubblica-Italian Tech
Last weekend, OpenAI announced on its blog that Mixpanel, a data analytics provider that collects and processes data generated by the use of Application Program Interfaces (APIs) — software features that allow devices such as smartphones, laptops and PCs to dynamically communicate with servers that provide data processing services — on behalf of Altman’s company, had suffered a data exfiltration.
No risk to users
OpenAI specified that the event did not affect systems under its direct control and that user data and data on their use of the platform were not compromised. In other words, the perpetrators of the attack did not have access to login credentials, copies of identity documents, payment details or, last but not least, chat content. Instead, the data relating to users interacting via API, such as name, email address, city, state and country of location detected via the browser, was “leaked”.
Nothing (unfortunately) new under the sun
In itself, at least according to OpenAI’s official statement, the event is not particularly serious, but above all, it is nothing new. Periodically, in fact, this or that company, not only among Big Tech, suffers the consequences of what is called a “supply-chain attack”.
This clearly explains what happened and why this type of event is essentially inevitable: there are very few — if any — services that operate on infrastructure under the total control of those who offer them, and therefore the possibility of hitting the “big target” extends from less difficult targets to attack.
The paradox of integration
Even if it wants to keep things to a minimum, for example, a platform could use a virtual server provider that uses a virtualisation service sub-supplier, which in turn uses a physical server sub-supplier, which in turn installs them in a data centre belonging to yet another entity. Furthermore, if the services are provided in the cloud, this infrastructure can be replicated in different locations.
As if that were not enough, other services are horizontally linked to each link in this chain, from cybersecurity to analytics (as in the case of Mixpanel), which in turn can be structured according to the vertical scheme just illustrated.
If we add to this the fact that Big Internet includes operators such as Google, Cloudflare and Amazon Web Services, which collect significant amounts of services, it is clear that incidents, negligence or criminal actions affecting a remote point in the infrastructure can have unpredictable consequences.
The price of an industrial choice
This technological model is the result of a precise industrial strategy that has been consolidated over the years and has expanded dramatically, as demonstrated by the analysis of cookies and trackers that are sent to our computers on a daily basis. These pieces of code not only indicate who is collecting information about our use of the network, but also tell us how many entities are involved in this activity.
The consequence is inevitable: the more services are integrated, the greater the likelihood that one or more links will break somewhere, dragging down everything that depends on them, with consequences that are often felt across half the world, as demonstrated by the cases of ransomware infections, which show no sign of decreasing, and incidents caused by oversights, such as the recent case of Cloudflare or that of Crowdstrike some time ago.
The geopolitics of distributed services
The vulnerability of this model of platform service organisation, however, is not (only) technological but above all geopolitical. The inevitable dependence on suppliers operating in multiple locations around the world, not all of which necessarily belong to the same area of influence, makes these entities attractive targets, given that as their size decreases, so too do the budgets — and the care — devoted to system security. Although less dramatic, the issue is exactly the same as that of subcontracting in the construction industry, where the lengthening of the supply chain translates into less attention being paid to the safety of people who, through no fault of their own, risk and lose their lives.
The futility of data protection regulations
Whenever there is a criminal attack on the supply chain or when negligence causes service interruptions and data loss, the knee-jerk reaction is to “apologise”, sever ties with the supplier involved and announce a “strengthening of security measures”.
However, no one addresses the underlying issue: the fundamental failure of the way in which legal obligations to protect (personal) data are structured and their inability to have a serious impact on established industrial models.
For years, at least within the EU, we have been inundated with “risk analyses”, “security policies”, information notices, consent requests and “data breach communications”. Today, additional regulations such as the one on resilience or DORA, which concerns financial and insurance services, add further requirements.
An alternative solution
It is quite clear that the regulatory approach to ensuring infrastructure security based on the imposition of essentially bureaucratic burdens has proven ineffective.
So perhaps it would be worth starting to think in terms of the direct responsibility of those who offer services to citizens, institutions and businesses, who should be aware that they cannot get away with a simple “I’m sorry”.