How AI Lets Your Company Secrets Leak Out

Advanced tools like ChatGPT, Copilot, and Gemini enable people to work more efficiently. They can draft emails, write code, and answer questions in seconds.

However, when someone pastes private or confidential company information into these tools, it can be leaked.

Let’s examine how these tools can expose company secrets and rank each risk from least common to most common.

Safety and Compliance Risks (0.2%)

Safety-related leaks are rare, occurring in only about 0.2% of all prompts, but they cannot be ignored. These “safety issues” typically involve messages containing violent, explicit, or hateful content.

While this category does not directly reveal trade secrets or proprietary data, it can harm a company’s reputation and violate industry regulations.

For example, if a prompt includes unauthorised disclosures of internal compliance procedures or policy guidelines, the company may face regulatory penalties or public backlash.

Lasso Research’s analysis confirms that just 0.2% of prompts fall into this category, yet even a single incident can have outsized effects on brand trust and legal standing.

Jailbreak Attempts (0.3%)

“Jailbreak” attacks try to trick a system into ignoring its built‐in safeguards by phrasing prompts in ways that bypass content filters.

Although only 0.3% of all messages attempt this, their potential impact is that a successful jailbreak could reveal internal policy details, confidential system instructions, or proprietary code meant to be restricted.

When a system reveals such hidden logic or guardrails, it provides attackers with the knowledge needed to craft further prompts that expose sensitive information. L

Personal Data and Payment Information (1.4%)

Sometimes, people share personal data, such as names or credit card numbers, with these tools. This happens in about 1.4% of all prompts. In 11.2% of those cases, email addresses or payment details appear.

A Cisco survey in 2023 found that 39% of people accidentally shared sensitive data when using online assistants, and 88% of those respondents worried their data was at risk.
Leaking this data can breach privacy laws such as GDPR or CCPA and lead to hefty fines and lost customer trust.

Code and Token Exposure (4%)

People sometimes paste code snippets or API keys into these platforms. This happens in about 4% of prompts. In 30% of those cases, the keys or tokens are real and grant access to internal systems.
For example, in May 2023, Samsung workers used an online assistant to review private code.

They accidentally shared secret software details. After that incident, Samsung banned those tools entirely.

Proprietary Data and Intellectual Property (8.5%–13%)

The biggest risk comes from sharing private company data such as customer lists or product plans. Between 8.5% and 13% of prompts contain this kind of information.

A Harmonic Security report found that 8.5% of messages included billing info, trade secrets, or R&D data.
Lasso Research found that 13% of messages included data that could hurt a company’s competitive edge.

When product plans or strategic roadmaps leak, competitors can copy or block new offerings. This can waste years of work and millions of pounds.

Consequences of Data Leakage

Sharing sensitive data through these tools carries several serious consequences:

Regulatory Fines and Compliance Violations: When personal or payment data is exposed, companies face severe penalties under regulations such as GDPR, HIPAA, or CCPA. For instance, GDPR fines can reach as high as 4% of a company’s global annual revenue. Beyond fines, exposing health or payment information often triggers class‐action lawsuits and intense regulatory scrutiny, especially in finance and health care.

Reputational Damage and Loss of Trust: Even a single leak can undermine customer confidence. A Gartner survey shows that 69% of consumers would permanently abandon a brand after a breach. Once an incident becomes public, it can spread quickly through social media and news outlets, causing lasting harm to a company’s reputation.

Theft of Intellectual Property: Competitors or cybercriminals can reverse‐engineer or outright steal leaked algorithms, designs, and strategic roadmaps. When a company’s future product plans become public through a single message, it faces immediate competitive disadvantages, long-term revenue loss, and legal disputes over intellectual property rights.

Operational Disruption: Exposed credentials or tokens can allow attackers to infiltrate internal systems, deploy ransomware, or mount supply‐chain attacks that ripple across the organisation. Even a brief loss of access to crucial applications can cost millions in downtime, erode shareholder value, and strain vendor relationships.

How to Prevent Leaks

Preventing these kinds of data leaks requires a layered approach:

Use Company‐Controlled Platforms
Organisations should run approved tools on internal servers or private clouds. This setup ensures strict access controls, encrypts data both at rest and in transit, and maintains detailed audit logs.

Products like Kiteworks’ Data Gateway encrypt all prompts and continuously monitor for unusual or sensitive content.

Enforce Data Loss Prevention (DLP) Controls
DLP solutions should inspect all outgoing traffic for patterns indicating sensitive data, such as payment‐card numbers, Social Security numbers, or proprietary code signatures.

By setting thresholds on payload size and content type, security teams can automatically block or quarantine suspicious requests before they leave the company network.

Provide Regular Employee Training
Ongoing training sessions are essential. Employees must understand both the risks of using public tools for work and how those services handle data.

Concrete examples, such as Samsung’s 2023 code leak, make the dangers clear and encourage safer behaviour.

Maintain Continuous Monitoring and Visibility
Security operations should integrate solutions like Cloud Access Security Brokers (CASB) and Secure Access Service Edge (SASE) to gain real‐time visibility into all tool usage.

By logging every request, organisations can trace the source of leaks, reconstruct incident timelines, and revoke compromised credentials promptly.