Sensitive data exposure rises with employee use of GenAI tools
The analysis was conducted on a dataset comprising 1 million prompts and 20,000 files submitted to 300 GenAI tools and AI-enabled SaaS applications between April and June. According to the findings, 22% of files (total 4,400) and 4.37% of prompts (total 43,700) included sensitive data. The categories of sensitive data encompassed source code, access credentials, proprietary algorithms, merger and acquisition (M&A) documents, customer or employee records, and internal financial information.
Use of new GenAI tools
The data highlights that in the second quarter alone, organisations on average saw employees begin using 23 previously unreported GenAI tools. This expanding variety of tools increases the administrative load on security teams, who are required to vet each tool to ensure it meets security standards.
A notable proportion of AI tool use occurs through personal accounts, which may be unsanctioned or lack sufficient safeguards. Almost half (47.42%) of sensitive uploads to Perplexity were made via standard, non-enterprise accounts. The numbers were lower for other platforms, with 26.3% of sensitive data entering ChatGPT through personal accounts, and just 15% for Google Gemini.
Data exposure by platform
Analysis of sensitive prompts identified ChatGPT as the most common origin point in Q2, accounting for 72.6%, followed by Microsoft Copilot with 13.7%, Google Gemini at 5.0%, Claude at 2.5%, Poe at 2.1%, and Perplexity at 1.8%.
Code leakage represented the most prevalent form of sensitive data exposure, particularly within ChatGPT, Claude, DeepSeek, and Baidu Chat.
File uploads and risks
The report found that, on average, organisations uploaded 1.32GB of files in the second quarter, with PDFs making up approximately half of all uploads. Of these files, 21.86% contained sensitive data. The concentration of sensitive information was higher in files compared to prompts. For example, files accounted for 79.7% of all stored credit card exposure incidents, 75.3% of customer profile leaks, and 68.8% of employee personally identifiable information (PII) incidents. Files accounted for 52.6% of exposure volume related to financial projections.
Less visible sources of risk
GenAI risk does not only arise from well-known chatbots. Increasingly, regular SaaS tools that integrate large language models (LLMs) - often without clear labelling as GenAI - are becoming sources of risk as they access and process sensitive information. Canva was reportedly used for documents containing legal strategy, M&A planning, and client data. Replit and Lovable.dev were involved with proprietary code and access keys, while Grammarly and Quillbot edited contracts, client emails, and internal legal content.
International exposure
Use of Chinese GenAI applications was cited as a concern. The study found that 7.95% of employees in the average enterprise engaged with a Chinese GenAI tool, leading to 535 distinct sensitive exposure incidents. Within these, 32.8% were related to source code, access credentials, or proprietary algorithms, 18.2% involved M&A documents and investment models, 17.8% exposed customer or employee PII, and 14.4% contained internal financial data.
Preventative measures "The good news for Harmonic Security customers is that this sensitive customer data, personally identifiable information (PII), and proprietary file contents never actually left any customer tenant, it was prevented from doing so. But had organizations not had browser based protection in place, sensitive information could have ended up training a model, or worse, in the hands of a foreign state. AI is now embedded in the very tools employees rely on every day and in many cases, employees have little knowledge they are exposing business data."
Harmonic Security Chief Executive Officer and Co-founder Alastair Paterson made this statement, referencing the protections offered to their customers and the wider risks posed by the pervasive nature of embedded AI within workplace tools.
Harmonic Security advises enterprises to seek visibility into all tool usage – including tools available on free tiers and those with embedded AI – to monitor the types of data being entered into GenAI systems and to enforce context-aware controls at the data level.
The recent analysis utilised the Harmonic Security Browser Extension, which records usage across SaaS and GenAI platforms and sanitises the information for aggregate study. Only anonymised and aggregated data from customer environments was used in the analysis.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
RNZ News
30 minutes ago
- RNZ News
Australia debating introducing controls on AI growth
Australia correspondent Nick Grimm spoke to Lisa Owen about Australia wrestling with whether to introduce a new regulatory regime to try to control the unharnessed growth of artificial intelligence. It comes at the cost of many people's jobs while the profits flow to the overseas tech giants controlling the technology. To embed this content on your own webpage, cut and paste the following: See terms of use.
Techday NZ
an hour ago
- Techday NZ
SAP urges unified AI & data approach for ANZ business growth
SAP is calling on Australian and New Zealand organisations to rethink their approach to AI, data and application landscapes, marking a shift from future-looking speculation to real-world execution. Held at the Centrepiece on 7 August, the event brought together more than 700 attendees and over 70 speakers to explore strategies for embedding AI across core business functions. Angela Colantuono, Managing Director and President of SAP Australia and New Zealand, highlighted the urgency for agility and productivity amid ongoing disruption. "Agility is no longer optional, and productivity, well, it's front page news here in Australia," Colantuono said. "The Australian Government is working with business leaders on a productivity challenge over the next few weeks." She also highlighted SAP's investments in sovereign cloud capabilities and a Centre of Excellence in Canberra, underscoring the company's commitment to local innovation. "Our applications manage the heartbeat of local business, with SAP underpinning 92% of the ASX 200," she noted. "And of course, SAP Business AI is embedded directly into our suite." Colantuono stressed the importance of a solid data foundation to unlock AI's true potential. "While everyone's talking about AI, not enough people are talking about how to do AI well," she said. "We know you can't unlock AI without fixing your data landscape." At the event, SAP unveiled the top five AI use cases currently adopted by customers in Australia and New Zealand, based on customer data between May 2024 and May 2025: Automated expense generation using receipt images Automated invoice processing Expense verification and compliance checks Real-time alerts for supply chain disruptions Sales demand forecasting powered by predictive analytics "My conversations with CEOs are increasingly revealing how they are looking to embed AI into some of the most fundamental parts of their business," said Colantuono. "These applications are helping Australian organisations make faster, smarter decisions, reduce risk and unlock new value. But to fully realise AI's potential, we need to invest just as much in people as we do in technology." SAP's commitment to responsible AI was echoed by keynote speaker Dr Catriona Wallace, Founder of the Responsible Metaverse Alliance. "AI is the number one existential risk we face today. Yet only a small fraction of Australian organisations are equipped to use it responsibly," she said. "If we want AI to drive innovation, productivity and public trust, we must move beyond ambition to action." SAP Business Suite President Stefan De Barse used his keynote to explain SAP's "flywheel" concept, where applications, data and AI are unified to increase enterprise value. "The flywheel is all about apps, data and AI coming together to provide more value to all of you - our customers and partners," he said. "It starts with apps that run your end-to-end business processes. Those apps also provide valuable data." That data forms the basis of SAP's Business Data Cloud, in partnership with Databricks, which enables real-time integration between business systems and AI-powered decision-making. "You spend 80% of your time managing this fragile balance between data and apps," De Barse said. "That means only 20% of the time is invested in generating value." He argued that in the AI era, this disconnect is unsustainable. "For AI to deliver exponential value, it is extremely important that the end-to-end business process context is connected with the data," he said. Demonstrating SAP's AI co-pilot Joule, De Barse walked the audience through a scenario where finance, operations, procurement, HR and sales teams collaborate using shared data and embedded AI to resolve rising inventory, back orders and liquidity gaps. Lion, a leading beverage company in Australia and New Zealand, was cited as a live example of SAP's AI capabilities in action. After adopting SAP's Business Technology Platform and a clean core ERP model, Lion accelerated its order-to-cash cycles and developed an AI-powered beer recommendation app, 'Joey', in under 10 days. "AI is helping us move faster, make smarter decisions, and deliver better customer experiences," said Ram Kalyanasundaram, Group Technology and Digital Transformation Director at Lion. "SAP's AI capabilities have been a game-changer in how we think, operate and grow." In higher education, La Trobe University became the first in the ANZ region to go live with SAP S/4HANA Cloud Public Edition as part of its GROW with SAP journey. The transformation is streamlining the university's operations across finance, logistics, real estate and procurement, while laying a foundation for future AI-driven insights. "This transformation is a major step forward in how we operate," said Shainal Kavar, Chief Information Officer at La Trobe University. "It sets us up to embrace innovation and unlock the potential of AI in the years ahead." In addition to showcasing customer success stories, SAP announced the return of its SAP Intrepid Women AI Tour in January 2026. The four-day study programme will support senior female leaders in advancing AI literacy and leadership, building on the momentum of the 2025 edition. "Less than 15% of senior AI executives are women today," said Colantuono. "Last year's programme proved that when you bring female leaders together to build AI literacy and share experiences, the impact is extraordinary." "This is what we believe is the future of the business suite," he said. "And we would love to embark on this business suite journey with many of you."
RNZ News
2 hours ago
- RNZ News
Is AI the future of deciding prices?
Delta Airlines has hit turbulence after it publicly stated it wants AI to set 20% of its domestic ticket prices by the end of the year, raising concerns about so called survellience pricing. Delta has since issued a statement saying it does not intend to use AI to leverage individual consumer-specific data such as prior purchasing activity, but several senators are still concerned they're working on legislaton to stop it happening. Professional teaching fellow at the University of Auckland and an expert in the use of AI and digital technologies in marketing, Patrick Dodd spoke to Lisa Owen. To embed this content on your own webpage, cut and paste the following: See terms of use.
