Threat Intel Solutions

* [Threat Intelligence](/threat-intelligence)* [Data Privacy](/cyber-risk/data-privacy)* [Cybersecurity Operations](/cybersecurity-operations)* [Insider Threats](/vulnerabilities-threats/insider-threats)Employees Enter Sensitive Data Into GenAI Prompts Far Too Often Employees Enter Sensitive Data Into GenAI Prompts Far Too OftenEmployees Enter Sensitive Data Into GenAI Prompts Far Too Often==============================================================================================================================================================================================The propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises.  [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)January 17, 2025 5 Min Read _marcos_alvarado_Alamy.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale ‘The letters -‘AI-‘ in blue text with binary code running over top and in the background’) Source: Marcos Alvarado via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts&title=Employees%20Enter%20Sensitive%20Data%20Into%20GenAI%20Prompts%20Far%20Too%20Often)[](/cdn-cgi/l/email-protection#bd82cec8dfd7d8dec980f8d0cdd1d2c4d8d8ce9df8d3c9d8cf9deed8d3ced4c9d4cbd89df9dcc9dc9df4d3c9d29dfad8d3fcf49dedcfd2d0cdc9ce9dfbdccf9de9d2d29df2dbc9d8d39bdcd0cd86dfd2d9c480f4988f8dc9d5d2c8dad5c9988f8dc9d5d8988f8ddbd2d1d1d2cad4d3da988f8ddbcfd2d0988f8df9dccfd6988f8defd8dcd9d4d3da988f8dd0d4dad5c9988f8dd4d3c9d8cfd8cec9988f8dc4d2c893988df9988dfc988df9988dfc988f8df8d0cdd1d2c4d8d8ce988f8df8d3c9d8cf988f8deed8d3ced4c9d4cbd8988f8df9dcc9dc988f8df4d3c9d2988f8dfad8d3fcf4988f8dedcfd2d0cdc9ce988f8dfbdccf988f8de9d2d2988f8df2dbc9d8d3988df9988dfcd5c9c9cdce988efc988ffb988ffbcacaca93d9dccfd6cfd8dcd9d4d3da93ded2d0988ffbc9d5cfd8dcc990d4d3c9d8d1d1d4dad8d3ded8988ffbd8d0cdd1d2c4d8d8ce90ced8d3ced4c9d4cbd890d9dcc9dc90dad8d3dcd490cdcfd2d0cdc9ce) A wide spectrum of data is being shared by employees through generative AI (GenAI) tools, researchers have found, legitimizing many [organizations’ hesitancy to fully adopt AI practices](https://www.darkreading.com/cyber-risk/data-privacy-age-of-genai).Every time a user enters data into a prompt for ChatGPT or a similar tool, the information is ingested into the service’s LLM data set as source material used to train the next generation of the algorithm. The concern is that the information could be retrieved at a later date via [savvy prompts](https://www.darkreading.com/cyber-risk/forget-deepfakes-or-phishing-prompt-injection-is-genai-s-biggest-problem), a vulnerability, or a hack, if proper data security isn’t in place for the service.That’s according to researchers at Harmonic, who analyzed thousands of prompts submitted by users into GenAI platforms such as Microsoft, Copilot, OpenAI ChatGPT, Google Gemini, Anthropic’s Clause, and Perplexity. In their research, they discovered that though in many cases employee behavior in using these tools was straightforward, such as wanting to summarize a piece of text, edit a blog, or some other relatively simple task, there were a subset of requests that were much more compromising. In all, 8.5% of the analyzed [GenAI prompts included sensitive data](https://www.darkreading.com/vulnerabilities-threats/samsung-engineers-sensitive-data-chatgpt-warnings-ai-use-workplace), to be exact.Customer Data Most Often Leaked to GenAI—————————————-The [sensitive data](https://www.darkreading.com/application-security/hundreds-of-llm-servers-expose-corporate-health-and-other-online-data) that employees are sharing often falls into one of five categories: customer data, employee data, legal and finance, security, and sensitive code, according to Harmonic.Customer data holds the biggest share of sensitive data prompts, at 45.77%, according to the researchers. An example of this is when employees submit insurance claims containing customer information [into a GenAI platform](https://www.darkreading.com/cyber-risk/shadow-ai-sensitive-data-exposure-workplace-chatbot-use)to save time in processing claims. Though this might be effective in making things more efficient, inputting this kind of private and highly detailed information poses a high risk of exposing customer data such as billing information, customer authentication, customer profile, payment transactions, credit cards, and more.Employee data makes up 27% of sensitive prompts in Harmonic’s study, indicating that GenAI tools are increasingly used for internal processes. This could mean performance reviews, hiring decisions, and even decisions regarding yearly bonuses. Other information that ends up being offered up for potential compromise includes employment records, personally identifiable information (PII), and payroll data.Legal and finance information is not as frequently exposed, at 14.88%, however, when it is, it can lead to great corporate risk, according to the researchers. Unfortunately, when GenAI is used in these fields, it’s for simple tasks such as spell checks, translation, or summarizing legal texts. For something so small, the consequences are incredibly high, risking a variety of data such as sales pipeline details, mergers and acquisition information, and financial data.Security information and security code each compose the smallest amount of leaked sensitive data, at 6.88% and 5.64%, respectively. However, though these two groups fall short compared to those previously mentioned, they are some of the fastest growing and most concerning, according to the researchers. Security data inputted into GenAI includes penetration test results, network configurations, backup plans, and more, providing exact guidelines and blueprints as to how bad actors can exploit vulnerabilities and take advantage of their victims. Code inputted into these tools could put technology companies at a competitive disadvantage, exposing vulnerabilities and allowing competitors to replicate unique functionalities.Balancing GenAI Cyber-Risk -& Reward————————————If the research shows that GenAI offers high-risk potential consequences, should businesses continue to use it? Experts say they might not have a choice.’Organizations risk losing their competitive edge of if they expose sensitive data,’ said the researchers in the report. ‘Yet at the same time, they also risk losing out if they don’t adopt GenAI and fall behind.’Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, agrees. ‘Companies that don’t adopt generative AI risk losing significant competitive advantages in efficiency, productivity, and innovation as the technology continues to reshape business operations,’ he said in an emailed statement to Dark Reading. ‘Without GenAI, businesses face higher operational costs and slower decision-making processes, while their competitors leverage AI to automate tasks, gain deeper customer insights, and accelerate product development.’Others, however, disagree that GenAI is necessary, or that an organization needs any artificial intelligence at all.’Utilizing AI for the sake of using AI is destined to fail,’ said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement to Dark Reading. ‘Even if it gets fully implemented, if it isn’t serving an established need, it will lose support when budgets are eventually cut or reappropriated.’Though Kowski believes that not incorporating GenAI is risky, success can still be achieved, he notes.’Success without AI is still achievable if a company has a compelling value proposition and strong business model, particularly in sectors like engineering, agriculture, healthcare, or local services where non-AI solutions often have greater impact,’ he said.If organizations do want to pursue incorporating GenAI tools but want to mitigate the high risks that come along with it, the researchers at Harmonic have recommendations on how to best approach this. The first is to move beyond ‘block strategies’ and implement effective AI governance, including deploying systems to track input into GenAI tools in real time, identifying what plans are in use and ensuring that employees are using paid plans for their work and not plans that use inputted data to train systems, gaining full visibility over these tools, sensitive data classification, creating and enforcing workflows, and training employees on best practices and risks of responsible GenAI use. [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts&title=Employees%20Enter%20Sensitive%20Data%20Into%20GenAI%20Prompts%20Far%20Too%20Often)[](/cdn-cgi/l/email-protection#152a6660777f70766128507865797a6c70706635507b6170673546707b667c617c63703551746174355c7b617a3552707b545c3545677a786561663553746735417a7a355a7361707b337478652e777a716c285c302725617d7a60727d61302725617d70302725737a79797a627c7b7230272573677a783027255174677e302725477074717c7b72302725787c727d613027257c7b6170677066613027256c7a603b302551302554302551302554302725507865797a6c707066302725507b61706730272546707b667c617c6370302725517461743027255c7b617a30272552707b545c30272545677a78656166302725537467302725417a7a3027255a7361707b3025513025547d616165663026543027533027536262623b7174677e677074717c7b723b767a78302753617d67707461387c7b617079797c72707b7670302753707865797a6c7070663866707b667c617c637038717461743872707b747c3865677a78656166) About the Author—————- [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)
Skilled writer and editor covering cybersecurity for Dark Reading. [See more from Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Webinars* [Tips on Managing Cloud Security in a Hybrid Environment](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7708&ch=SBX&cid=_upcoming_webinars_8.500001516&_mc=_upcoming_webinars_8.500001516)Jan 29, 2025* [How CISOs Navigate the Regulatory and Compliance Maze](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7709&ch=SBX&cid=_upcoming_webinars_8.500001515&_mc=_upcoming_webinars_8.500001515)Feb 26, 2025[More Webinars](/resources?types=Webinar) ### Editor’s Choice[Biden meeting on cybersecurity with business leaders](/threat-intelligence/biden-cybersecurity-eo-trump-blueprint-defense)[Threat Intelligence](/threat-intelligence) [Biden’s Cybersecurity EO Leaves Trump a Comprehensive Blueprint for Defense](/threat-intelligence/biden-cybersecurity-eo-trump-blueprint-defense)[Biden’s Cyber EO Leaves Trump a Strong Blueprint for Defense](/threat-intelligence/biden-cybersecurity-eo-trump-blueprint-defense) by[Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Jan 16, 2025 7 Min Read [Globe with LLM-related icons, with the words Large Language Models underneath_Nils_Ackermann_Alamy_Stock_Vector_.jpg?width=700&auto=webp&quality=80&disable=upscale)](/vulnerabilities-threats/owasps-llm-top-10-shows-emerging-ai-threats)[Vulnerabilities -& Threats](/vulnerabilities-threats) [OWASP’s New LLM Top 10 Shows Emerging AI Threats](/vulnerabilities-threats/owasps-llm-top-10-shows-emerging-ai-threats)[OWASP’s New LLM Top 10 Shows Emerging AI Threats](/vulnerabilities-threats/owasps-llm-top-10-shows-emerging-ai-threats) by[Matias Madou](/author/matias-madou) Jan 15, 2025 5 Min Read [Closed padlock on digital background](/application-security/microsoft-january-2025-record-security-update)[Application Security](/application-security) [Microsoft Rings in 2025 With Record Security Update](/application-security/microsoft-january-2025-record-security-update)[Microsoft Rings in 2025 With Record Security Update](/application-security/microsoft-january-2025-record-security-update) by[Jai Vijayan, Contributing Writer](/author/jai-vijayan) Jan 14, 2025 4 Min Read Reports* [The State of Firewall Security: Challenges, Risks, and Solutions for Modern Networks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tufi07&ch=SBX&cid=_analytics_7.300006029&_mc=_analytics_7.300006029)Jan 10, 2025* [Industrial Networks in the Age of Digitalization](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa5682&ch=sbx&cid=_analytics_7.300006028&_mc=_analytics_7.300006028)Jan 6, 2025* [Zero-Trust Adoption Driven by Data Protection, Cloud Access Control, and Regulatory Compliance Requirements](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa5681&ch=sbx&cid=_analytics_7.300006027&_mc=_analytics_7.300006027)Jan 6, 2025* [Threat Hunting’s Evolution: From On-Premises to the Cloud](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_logr41&ch=sbx&cid=_analytics_7.300006026&_mc=_analytics_7.300006026)Jan 6, 2025* [How Enterprises Secure Their Applications](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6150&ch=sbx&cid=_analytics_7.300006025&_mc=_analytics_7.300006025)Jan 6, 2025[More Reports](/resources?types=Report) Webinars* [Tips on Managing Cloud Security in a Hybrid Environment](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7708&ch=SBX&cid=_upcoming_webinars_8.500001516&_mc=_upcoming_webinars_8.500001516)Jan 29, 2025* [How CISOs Navigate the Regulatory and Compliance Maze](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7709&ch=SBX&cid=_upcoming_webinars_8.500001515&_mc=_upcoming_webinars_8.500001515)Feb 26, 2025[More Webinars](/resources?types=Webinar) White Papers* [The State of Firewall Security: Challenges, Risks, and Solutions for Modern Networks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tufi07&ch=SBX&cid=_whitepaper_14.500005865&_mc=_whitepaper_14.500005865)* [Delivering Incident Response Excellence: How Wipro enhances customer services with automated investigation and response](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7504&ch=SBX&cid=_whitepaper_14.500005853&_mc=_whitepaper_14.500005853)* [From security alert to action: Accelerating incident response with automated investigations](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7505&ch=SBX&cid=_whitepaper_14.500005852&_mc=_whitepaper_14.500005852)* [The State of Asset Security: Uncovering Alarming Gaps -& Unexpected Exposures](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_runz05&ch=SBX&cid=_whitepaper_14.500005848&_mc=_whitepaper_14.500005848)* [The State of Cloud Native Security Report 2024](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo245&ch=SBX&cid=_whitepaper_14.500005832&_mc=_whitepaper_14.500005832)[More Whitepapers](/resources?types=Whitepaper)

Related Tags:
NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 561 – Administrative And Support Services

NAICS: 11 – Agriculture

Forestry

Fishing And Hunting

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 52 – Finance And Insurance

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 523 – Securities

Commodity Contracts

Other Financial Investments And Related Activities

NAICS: 51 – Information

NAICS: 115 – Support Activities For Agriculture And Forestry

Associated Indicators: