5 Companies That Lost Data Through AI Systems (And What Went Wrong)

5 Companies That Lost Data Through AI Systems (And What Went Wrong)

Which Companies Lost Data Through AI Systems and What Went Wrong?

Several major companies exposed sensitive data through AI tools due to poor access controls, employee misuse, insecure integrations, and lack of governance around AI systems. These incidents show that AI adoption without proper safeguards creates serious security gaps.

When businesses rush to adopt AI tools, they often overlook the security risks that come with them. Companies lost data through AI systems not because the technology itself failed, but because people and processes around it were not ready. From source code leaks to chat history exposures, these real incidents reveal how easily sensitive information can slip into the wrong hands. Understanding these failures is the first step toward preventing them in your own organization.

A 2025 report from Cyberhaven found that nearly 40% of employee interactions with AI tools involve sensitive data. Gartner predicts that by 2027, more than 40% of AI related data breaches will come from improper use of generative AI across borders. These numbers show that AI security risks are growing faster than most organizations can respond.

1. Samsung and the ChatGPT Source Code Leak

Samsung employees uploaded confidential source code and meeting notes into ChatGPT, exposing proprietary company information that could not be deleted from external servers.

In April 2023, three separate Samsung employees accidentally leaked sensitive data through ChatGPT. One engineer pasted confidential source code to check for errors. Another shared code and asked for optimization help. A third uploaded a recording of an internal meeting and asked the AI to create presentation notes from it.

The problem was not ChatGPT itself but the complete absence of an AI usage policy. Samsung had given employees access to the tool without setting rules about what could and should not be shared. By default, ChatGPT stored these conversations and could use them to train future models.

Samsung responded by banning all generative AI tools across its largest division. The company later developed its own internal AI system called Gauss and only recently began allowing limited, governed access to external AI tools again. This remains one of the most widely cited AI vulnerability examples in corporate history.

2. Amazon and AI Training Data Exposure Concerns

Amazon warned employees not to share confidential information with generative AI tools after discovering that workers were inputting sensitive company data into ChatGPT for everyday tasks.

In January 2023, an Amazon corporate lawyer sent a warning to all employees. The message was clear: do not share any Amazon confidential information with ChatGPT or similar tools. The concern was that employee prompts could be retained by AI providers and eventually appear in AI generated output that closely matches proprietary Amazon material.

Amazon had noticed that employees were actively using ChatGPT to draft emails, summarize documents, and write code. While no actual data breach was confirmed, the risk was significant enough to trigger a company wide policy response. The lawyer noted that AI output had already been seen closely matching existing Amazon content.

This case shows that data loss AI incidents do not always require a confirmed breach. The mere possibility of sensitive data being retained and reused by AI systems represents a legitimate threat that companies must address proactively.

3. Microsoft AI Chatbot Data Exposure Incident

Microsoft Copilot Chat experienced a configuration error that exposed confidential emails and draft messages to enterprise users who used the AI assistant within Outlook and Teams.

In 2025, Microsoft confirmed that its 365 Copilot Chat tool had surfaced information from confidential email drafts and sent folders to some enterprise users. The tool was designed to help employees find answers and summarize messages across Microsoft applications including Outlook and Teams.

Microsoft stated that the issue did not grant anyone access to information they were not already authorized to see. However, security experts pointed out that the speed at which companies add AI features to existing products makes these kinds of mistakes almost inevitable. A Black Hat 2024 researcher had already demonstrated multiple security gaps in Microsoft Copilot that could allow attackers to extract sensitive data and corporate credentials.

These real world AI security failures prove that even the companies building AI tools can struggle to secure their own products. Integration between AI systems and existing enterprise platforms creates attack surfaces that traditional security measures often miss.

4. OpenAI Chat History Exposure Incident

A bug in OpenAI systems exposed chat titles and payment details of some ChatGPT users, affecting approximately 1.2% of ChatGPT Plus subscribers.

On March 20, 2023, OpenAI discovered that a bug in the Redis open source library was causing some users to see chat titles from other active users. The company took ChatGPT offline temporarily to fix the problem. Investigation revealed that 1.2% of ChatGPT Plus subscribers had payment related information exposed, including names, email addresses, partial credit card numbers, and card expiration dates.

OpenAI CEO Sam Altman publicly acknowledged the issue and confirmed the fix. The bug originated in a third party library rather than in OpenAI own code, which highlights the challenge of securing AI platforms that depend on complex software supply chains.

This incident is particularly significant because it affected the platform that millions of people trust with their most sensitive conversations. It demonstrates that AI security risks exist at every layer of the technology stack, from the AI model itself down to the open source libraries that support it.

5. Samsung Semiconductor Data Upload Incident

Samsung semiconductor engineers shared proprietary chip design data and confidential engineering materials through AI prompts, leading the company to restrict AI tool access across its hardware teams.

While the first Samsung incident involved the software division, a separate and equally serious case occurred within the semiconductor unit. Engineers working on next generation chip designs used ChatGPT to seek help with optimization problems, effectively uploading proprietary technical specifications and trade secrets into a third party AI system.

This was not a single careless mistake but a pattern of behavior driven by convenience. Engineers were under pressure to solve complex problems quickly, and AI tools offered an easy shortcut. The lack of clear guidelines meant that multiple team members independently chose speed over security.

Samsung semiconductor division responded with strict internal restrictions on AI usage. The company required all AI interactions to go through approved internal systems only. These companies hacked through AI incidents were not caused by external attackers but by trusted employees who simply did not understand the risks of sharing proprietary data with external AI services.

Key Takeaways

• AI adoption without governance policies leads to data exposure
• Employee awareness and training are the most effective defenses
• Even AI platform providers like OpenAI and Microsoft experience security failures
• Third party AI tools can retain and reuse your sensitive data
• Internal AI solutions offer a safer alternative for handling confidential information