AICPA SOC Service Organizations - Certrec

ChatGPT Data Breach: How Can Companies Use ChatGPT Responsibly?

ChatGPT Data Breach How Can Companies Use ChatGPT Responsibly - Certrec

ChatGPT is an advanced language model developed by OpenAI. The GPT stands for generative pretrained transformer.  It is a chatbot with the ability to generate an answer to just about any question it is asked.

According to Mckinsey, generative AI tools like ChatGPT and DALL-E (AI-generated art tool) have the potential to impact the way various jobs will be performed in the future.  A 2022 Mckinsey survey shows that over the past five years, AI adoption has more than doubled, and the investment in AI is increasing at a rapid pace. However, the extent of the impact and the risks involved are not known at this time. 

The Data Breach

On March 24, 2023, OpenAI put out a press release saying, “We took ChatGPT offline earlier this week due to a bug in an open-source library which allowed some users to see titles from another active user’s chat history. It’s also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time.”

The press release went on to explain that, “Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, credit card type and the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time.” 

On June 20, 2023, Search Engine Journal, published an article called ‘Massive Leak Of ChatGPT Credentials: Over 100,000 Accounts Affected,’ reporting that, “Over 100,000 OpenAI ChatGPT account credentials were compromised and sold on dark web marketplaces from June 2022 to May 2023. Info stealers such as Raccoon, Vidar, and RedLine are largely responsible for these breaches.”

The article went on to explain that, according to a report by Group-IB, these credentials were discovered in logs of stolen information, which were later “offered for sale on underground cybercrime platforms.’

How Can Companies Use ChatGPT Responsibly - Certrec

How Can Companies Use ChatGPT Responsibly?

According to Computer Weekly, Craig Jones, vice president of security operations at Ontinue, says that businesses are exposing themselves to “significant legal, compliance, and security considerations” by allowing their employees to use generative AI and ChatGPT in the office.

The following steps can ensure that employees will use the technology responsibly and that their privacy will be protected while using ChatGPT:

  1. Take into account data protection regulations like GDPR or CCPA.
  2. Consider intellectual property rights when using ChatGPT. Craig says, “Establish clear guidelines regarding ownership and usage rights.”
  3. Don’t share sensitive information, because what you enter into ChatGPT gets stored on OpenAI’s servers.
  4. Use a VPN so that your traffic to and from ChatGPT servers is encrypted.
  5. Opt out of ChatGPT’s personal data processing. Disable your chat histories through your account settings.
  6. Use good password hygiene and enable two-factor authentication.

Disclaimer: Any opinions expressed in this blog do not necessarily reflect the opinions of Certrec. This content is meant for informational purposes only.