The artificial intelligence chatbot provider shows off 346,000 customer documents, including identification documents, resumes, and medical records.
WotNot, the artificial intelligence chatbot provider, left a cloud storage bucket exposed that contained almost 350,000 files, including personally identifiable information.
Recently, researchers uncovered a large, open Google Cloud Storage bucket. This bucket has exposed sensitive information regarding numerous individuals.
It's tied to an AI startup named WotNot, which provides businesses the capacity to create bespoke chatbots. The service claims around 3,000 customers on board, but this adds a stage in the data-flow of PII between the end-user and the company running the chatbot service. It introduces a much larger risk in this regard, as data exposure occurs there.
The leaked data appears to be from a number of WotNot clients, as the files found vary in nature, totaling 346,381. Some of the sensitive information included:
- Identification documents, such as passports, which contain full names, dates of birth, passport numbers, and other information useful to cybercriminals.
- Medical records containing private information, such as diagnoses, treatment histories, and test results.
- Resumescontaining employment history, contact information (such as emails and phone numbers), etc.
This information, if it falls into the hands of cybercriminals, can be used to execute phishing scams and identity theft, among other fraudulent activities.
According to WotNot,
The cause for the breach was that the cloud storage bucket policies were modified to accommodate a specific use case. However, we regretfully missed thoroughly verifying its accessibility, which inadvertently left the data exposed.
In the "specific use case", apparently, they mention customers utilizing the free version of the plan which apparently had not included a proper security. WotNot has emphasized,
For enterprise customers, we provide private instances to ensure security and compliance standards are strictly adhered to.
The company added that they advise the clients of theirs to delete their sensitive files from WotNot's servers right after they forwarded such files into clients' systems. As an advanced precautionary step, clients from WotNot must provide direct means for a secured way through which users forward them sensitive files to avoid chatting around with bots in the process.
This incident highlights a recurring issue: third-party leaks exposing sensitive data of people who may not even know the company responsible for the breach. It’s a stark reminder to be cautious about where your data is going before sharing sensitive information. Unfortunately, for end-users, it’s not always obvious if there are additional links in the data chain when interacting with a company.
Whenever possible, refrain from exposing sensitive information through a chat interface and instead opt for a safe company email address or another mode of communication.
