Skip to content
RansomLeak
Blog

data protection

4 posts with the tag “data protection”

AI Data Leakage: How Employees Expose Secrets to ChatGPT, Claude, and Copilot

AI data leakage illustration - employee pasting confidential code into a chatbot window with data flowing to external servers
Dmytro Koziatynskyi
Founder & CEO

Samsung’s semiconductor division banned ChatGPT in May 2023 after three employees leaked confidential data in under a month. One engineer pasted proprietary source code to debug an error. Another submitted internal meeting notes to generate a summary. A third uploaded chip manufacturing measurements to get yield calculations. Each person was trying to do their job faster. Each left a copy of Samsung’s trade secrets on an OpenAI server.

Within weeks, Apple, JPMorgan, Bank of America, Verizon, Amazon, Goldman Sachs, and Deutsche Bank had followed with their own restrictions. The calculus was the same at every company. The productivity gains were real, but so was the risk of employees turning consumer AI tools into a data exfiltration channel nobody had authorized.

Two years later, the bans have softened into policies, and the policies have softened into training gaps. Most employees still don’t understand what happens to the text they paste into an AI chat window. This is the core of OWASP LLM02, the sensitive information disclosure risk that sits second on the OWASP Top 10 for LLM Applications.

Data Classification Training for Employees

Four data classification folders arranged by sensitivity level from public to restricted, each with progressively stronger lock symbols
Dmytro Koziatynskyi
Founder & CEO

An account manager at a healthcare company needed to share patient outcome data with a prospective partner. She opened the company’s analytics dashboard, exported a CSV, and emailed it to the partner’s Gmail address. The export included patient names, treatment dates, and billing codes. She did not realize any of this was in the file. She had only wanted the aggregate numbers.

The company discovered the incident two weeks later during a routine DLP review. By then, the email had been forwarded internally at the partner organization. HIPAA breach notification was required. Legal costs, remediation, and fines totaled over $200,000. All because one employee could not tell the difference between aggregate statistics and protected health information in a spreadsheet.

This type of incident happens constantly. Not because employees are careless, but because nobody taught them how to look at data and ask: “What am I actually holding?”

GDPR Training for Employees: Beyond the Annual Checkbox

GDPR employee training - compliance document with interactive training scenarios
Dmytro Koziatynskyi
Founder & CEO

A marketing manager adds a customer’s email to a campaign list without checking consent records. A support agent shares a user’s account details with someone claiming to be their spouse. A developer copies production data containing real names and addresses into a staging environment.

None of these people intended to violate the GDPR. All of them did.

The General Data Protection Regulation has been enforceable since May 2018. Eight years in, fines keep climbing. The Irish Data Protection Commission fined Meta EUR 1.2 billion in 2023 for illegal data transfers to the US. The Italian Garante fined OpenAI EUR 15 million in late 2024 for ChatGPT’s privacy violations. These headlines grab attention, but the pattern behind them is consistent: organizations that treated GDPR as a legal department problem instead of a company-wide responsibility.

Your lawyers can’t prevent the marketing manager from misusing consent data. Your DPO can’t watch every developer’s staging environment. The only thing that scales is training, and most GDPR training programs are doing it wrong.

Insider Threat Awareness Training for Employees

Insider threat visualization showing an authorized employee with access badge alongside a data exfiltration timeline
Dmytro Koziatynskyi
Founder & CEO

A systems administrator at a defense contractor copies classified schematics to a personal USB drive over the course of three months. His badge still works. His credentials are valid. He passes the same security checks as everyone else. Nothing in the firewall logs, intrusion detection system, or email gateway catches a thing.

When the breach is finally discovered, it is not because a tool flagged it. A coworker noticed he was accessing project folders he had no business being in and mentioned it to their manager. That conversation, uncomfortable as it was, prevented months of additional exfiltration.

External attackers need to break in. Insiders are already inside.