346K Medical Records And Passports Compromised In AI Chatbot ‘WotNot’ Security Failure

eWEEK content and product recommendations are editorially independent. We may earn money when you click on our partners’ links. learn more.

A recent data breach involving Indian artificial intelligence startup WotNot exposed more than 346,000 personal files online, putting customers’ sensitive information at risk. Cybersecurity researchers at Cybernews discovered the exposed data during a “routine investigation using OSINT methods” in August. A misconfigured Google Cloud Storage bucket containing more than 346,000 files gave anyone online access without authorization.

The leaked information included passports and national identity cards, detailed medical records including diagnoses and test results, resumes containing work experience and contact information, and other documents such as travel itineraries and train tickets. The data, sourced from WotNot’s 3,000-strong customer base, poses a serious risk of identity theft, fraud and phishing schemes.

WotNot’s response

WotNot, it provides chatbot Development services in the healthcare, financial and education industries blamed the breach on lapses in cloud storage policies. The exposed buckets were reportedly used by users of its free tier.

“The cause of the leak was that the cloud storage bucket policy was modified to fit a specific use case,” WotNot told Cybernews. “However, we sadly missed out on thoroughly verifying its accessibility, which inadvertently resulted in data exposure.”

Third parties and shadow IT

The company noted that its enterprise customers run on private instances with stricter security protocols. It also claims to advise customers to delete sensitive files after transferring them to their own systems, but this practice is not strictly enforced. The incident highlights the risks of including third-party vendors into the artificial intelligence ecosystem. and Chatbots collect sensitive user dataany weak link in the supply chain could lead to a catastrophic breach.

According to online news reportsartificial intelligence services introduce a new kind of shadow IT resource that is not under the direct control of the organization. Cybernews researchers explain: “In the case of WotNot, sensitive information originating from its business customers was ultimately exposed, demonstrating that a security breach at a single vendor could compromise the data of multiple companies and thousands of people downstream. .

Experts advise users to think twice before sharing personal information with others Artificial Intelligence Chatbotespecially on platforms that may involve multiple vendors. We urge businesses to thoroughly review their security policies before doing business with partners.

Learn how Artificial intelligence can be used on both sides of the cybersecurity equationby hackers and cybersecurity teams, among others.