AI Data Leaks: How Confidential Business Data Goes Public — and What It Costs You

AI Data Leaks: How Confidential Business Data Goes Public — and What It Costs You
Author: Siniša Dagary | Category: AI Risk & Data Security | Platform: sinisadagary.com, slaff.io, investra.io, unifyr.space
AI Data Leaks: How Confidential Business Data Goes Public
38.6% of employees using AI tools have shared confidential data. Learn how AI causes data leaks, real cases, and how to protect your business in 2026.
AI data leaks business 2026, confidential data AI tools, AI data security risk, Samsung ChatGPT data leak, AI GDPR data breach, AI data protection
The Invisible Pipeline Carrying Your Secrets Out the Door
Every day, across thousands of companies, employees are doing something that seems completely reasonable: they're using AI tools to work faster. They paste a customer contract into ChatGPT to get a summary. They upload a financial model to Claude to check the formulas. They ask an AI assistant to review a confidential strategy document.
And every time they do, there's a question that most companies haven't answered: where does that data go?
The answer is complicated, and in many cases, deeply uncomfortable. According to Cyberhaven research, 38.6% of employees using AI tools have shared confidential company data with them. This isn't a small minority of careless individuals — it's the majority of AI tool users, doing what seems natural in the flow of their work.
The Samsung incident of March 2023 made this visible in a way that couldn't be ignored. Engineers at Samsung's semiconductor division pasted proprietary source code into ChatGPT to help debug it. The code — representing years of competitive advantage and significant trade secret value — was potentially incorporated into OpenAI's training data. Samsung banned ChatGPT company-wide within weeks, but the damage was done.
Quick Answer: AI tools cause data leaks when employees input confidential information — source code, financial data, customer records, strategy documents — into AI systems that may use that data for model training or store it in ways that create exposure. 38.6% of employees using AI tools have shared confidential company data with them (Cyberhaven). The average cost of a data breach is $4.88 million (IBM 2024), with GDPR fines adding significant additional exposure.
How AI Data Leaks Actually Happen: Four Mechanisms
Understanding how AI causes data leaks requires understanding the technical and behavioral mechanisms involved.
Mechanism 1: Training Data Incorporation
The most significant long-term risk is that data entered into AI tools may be used to train or fine-tune the underlying models. When this happens, the information can potentially surface in responses to other users — not necessarily as verbatim text, but as patterns, associations, or specific knowledge that shouldn't be accessible.
OpenAI's default data usage policy (before users opt out) allows user inputs to be used for model improvement. Many enterprise users don't realize this, and many don't take the steps to opt out or use enterprise API access that provides stronger data protections.
Mechanism 2: Provider Data Storage and Access
Even when AI providers don't use data for training, they typically store user inputs for periods ranging from 30 days to indefinitely. This creates exposure through several channels: data breaches at the AI provider, legal requests for data, insider access by provider employees, and regulatory investigations.
Mechanism 3: Shadow AI — Unsanctioned Tool Use
Shadow AI is the enterprise security equivalent of shadow IT — employees using AI tools that haven't been approved, vetted, or configured by the organization. A 2025 survey found that 65% of employees use AI tools that their IT department hasn't approved. These tools may have minimal data protection, no enterprise agreements, and no audit trails.
Mechanism 4: AI-Assisted Social Engineering
AI tools are dramatically lowering the cost and sophistication of social engineering attacks. Attackers use AI to craft highly personalized phishing emails, generate convincing deepfake audio and video of executives, and automate large-scale credential harvesting campaigns. The Arup deepfake incident ($25.6 million lost) is the most prominent example, but it represents a growing category of AI-enabled attacks.
Key Fact: The most commonly shared confidential data types in AI tools: source code (13.8% of all data sent to AI tools), confidential business documents (10.2%), customer data (8.1%), and financial information (6.3%). Source: Cyberhaven 2023 research on enterprise AI data exposure.
Five Real Cases of AI-Related Data Exposure
Case 1: Samsung Source Code Leak (March 2023)
Samsung engineers pasted proprietary semiconductor source code into ChatGPT on three separate occasions within a single month. The code included confidential chip designs, internal meeting notes, and test sequences. Samsung banned ChatGPT company-wide and began developing an internal AI system. The incident highlighted that even technically sophisticated employees don't naturally think about AI data retention when using tools that feel like search engines.
Case 2: Legal Firm Client Data Exposure
A mid-sized law firm discovered that associates had been using a consumer AI tool to draft client documents, pasting in confidential client information including financial details, legal strategies, and personal data. The firm had no AI usage policy, no approved enterprise AI tools, and no monitoring. The exposure was discovered during a routine security audit — not because of an incident.
Case 3: Healthcare Provider Patient Data
A hospital system found that administrative staff were using AI tools to transcribe and summarize patient consultations, uploading audio recordings that contained protected health information (PHI). The AI tool used had no HIPAA Business Associate Agreement, making the exposure a direct regulatory violation.
Case 4: Financial Services Competitive Intelligence Leak
An investment bank discovered that analysts were using AI tools to analyze competitor filings and internal strategy documents simultaneously — effectively creating a scenario where competitive intelligence was being processed by systems outside the firm's control. The bank implemented an emergency AI governance policy within 48 hours of discovery.
Case 5: Manufacturing Trade Secret Exposure
A European manufacturer discovered that R&D engineers had been using AI tools to analyze proprietary formulations and manufacturing processes. The company had invested over €40 million in developing these processes over a decade. The exposure was discovered only when a competitor appeared to have knowledge of specific technical details.
The GDPR Dimension: Data Leaks as Regulatory Violations
AI-related data leaks don't just create competitive and reputational risk — they create direct GDPR liability.
Personal data in AI tools. If employees input personal data (customer information, employee records, health data) into AI tools, this constitutes data processing under GDPR. The AI provider becomes a data processor, and the company must have a Data Processing Agreement (DPA) in place. Without a DPA, the processing is unlawful under GDPR Article 28.
Data transfers outside the EU. Most major AI tools (ChatGPT, Claude, Gemini) are operated by US companies. Data entered into these tools is transferred to the US. Under GDPR, this requires either Standard Contractual Clauses (SCCs) or another approved transfer mechanism. Many companies using consumer AI tools have not implemented these mechanisms.
Data breach notification. If an AI-related data exposure qualifies as a personal data breach under GDPR, the company has 72 hours to notify the relevant supervisory authority. Failure to notify is itself a GDPR violation.
Right to erasure complications. If personal data has been incorporated into an AI model's training data, fulfilling GDPR erasure requests becomes technically complex or impossible — creating ongoing compliance exposure.
Quick Answer: AI-related data leaks create GDPR liability through multiple mechanisms: inputting personal data into AI tools without a Data Processing Agreement (DPA) violates GDPR Article 28; transferring data to US-based AI providers without Standard Contractual Clauses (SCCs) violates GDPR data transfer rules; and failing to notify authorities within 72 hours of a qualifying breach violates GDPR Article 33. The combination of competitive damage and regulatory fines makes AI data leaks one of the highest-cost risk categories in enterprise AI adoption.
Building an AI Data Security Framework
Step 1: AI Tool Inventory and Classification
You cannot protect data from tools you don't know exist. Conduct a comprehensive inventory of all AI tools used across the organization — including tools employees use on personal devices for work purposes. Classify each tool by data sensitivity risk.
Step 2: Data Classification Policy
Define what data can and cannot be entered into AI tools. A practical framework:
| Data Category | AI Tool Policy |
|---|---|
| Public information | Permitted in approved AI tools |
| Internal business information | Permitted only in enterprise-grade AI tools with DPA |
| Confidential/proprietary data | Permitted only in approved internal AI systems |
| Personal data (GDPR) | Requires DPA; prohibited in consumer AI tools |
| Trade secrets | Prohibited in external AI tools |
| Financial data (material non-public) | Prohibited in external AI tools |
Step 3: Enterprise AI Tool Procurement
Replace consumer AI tools with enterprise-grade alternatives that provide: Data Processing Agreements (DPAs), contractual commitments not to use data for training, data residency in the EU (for GDPR compliance), audit logs, and role-based access controls.
Step 4: Technical Controls
Implement technical controls to enforce data classification policies: Data Loss Prevention (DLP) tools that detect and block sensitive data being sent to AI services, browser extensions that warn employees when they're about to paste sensitive data, API gateway controls that monitor and filter AI tool usage, and network monitoring for unauthorized AI tool access.
Step 5: Employee Training
The Samsung engineers who pasted source code into ChatGPT weren't being malicious — they were being efficient. They didn't understand the data retention implications. Employee training must cover: what data can and cannot be shared with AI tools, how to identify approved vs. unapproved AI tools, and what to do if they accidentally share sensitive data.
Step 6: Incident Response Planning
Develop a specific incident response plan for AI data exposure events, covering: how to determine what data was exposed, GDPR breach notification procedures, communication protocols for affected parties, and remediation steps.
For businesses seeking expert guidance on AI data security frameworks, Slaff.io provides specialized workforce and compliance solutions for organizations navigating AI adoption risks.
Frequently Asked Questions
How do AI tools cause data leaks? AI tools cause data leaks when employees input confidential information into systems that may use it for training, store it in ways that create exposure, or transfer it to jurisdictions without adequate data protection.
What percentage of employees share confidential data with AI tools? 38.6% of employees using AI tools have shared confidential company data with them (Cyberhaven). The most common types: source code (13.8%), confidential documents (10.2%), customer data (8.1%), financial information (6.3%).
What happened in the Samsung AI data leak? In March 2023, Samsung engineers pasted proprietary semiconductor source code into ChatGPT on three occasions. The code potentially became part of OpenAI's training data. Samsung banned ChatGPT company-wide within weeks.
What is the average cost of an AI-related data breach? The average cost of a data breach reached $4.88 million in 2024 (IBM). AI-related breaches tend to be more expensive. GDPR fines add additional costs — the largest 2025 GDPR fine was €530 million.
What is shadow AI? Shadow AI refers to AI tools used by employees without IT department approval or security vetting. 65% of employees use unapproved AI tools (2025 survey). Shadow AI creates significant data exposure because these tools typically lack enterprise data protections.
How does AI data exposure create GDPR liability? Inputting personal data into AI tools without a Data Processing Agreement violates GDPR Article 28. Transferring data to US-based AI providers without Standard Contractual Clauses violates GDPR transfer rules. Failing to notify authorities within 72 hours of a qualifying breach violates GDPR Article 33.
Recommended Reading
- GDPR & EU AI Act: The €35 Million Fine — sinisadagary.com
- AI Hallucinations in Business — sinisadagary.com
- Workforce Solutions for AI-Ready Organizations — Slaff.io
- Legal and Compliance Advisory — Findes Group & Partners
Connect With Me
- LinkedIn: linkedin.com/in/sinisadagary
- Facebook: facebook.com/sinisadagary
- Instagram: @sinisa_dagary
- YouTube: youtube.com/@sinisadagary
Siniša Dagary is a business consultant and AI strategist with 20+ years of experience helping European companies navigate the opportunities and risks of AI adoption.



