AI chatbot builder leaks hundreds of thousands of records online


  • Researchers found over 300,000 files of personally identifiable information
  • The files are attributed to AI chatbot startup WotNot
  • It took over to months for the information to be closed after initial disclosure

A huge Google Cloud storage bucket containing 346,381 files, attributed to AI startup ‘WotNot’, has been found unprotected online, experts have warned.

The exposed files, found by researchers at CyberNews, contained a ‘treasure trove’ of personal information, including passports, medical records, and CVs, which of course include full names, contact information, and addresses.

The storage bucket was accessible to anyone without needing authorization, and was left open for over two months after initial disclosure notifications were sent.

The risk of outsourcing

WotNot provides AI chatbots to businesses, offering a ‘personalized experience’ which is ‘available 24/7, responds instantly, and totally reliable’. The startup boasts 3,000 customers, and offers its services to ‘any vertical’, like Insurance, Finance, Healthcare, SaaS, and Banking. High profile customers include the University of California, Chenening, and Amneal Pharmaceuticals.

Using third party vendors for systems and resources is incredibly common, but businesses are left at risk if their vendors are compromised. AI services especially are interconnected, so are more likely to bring an uncontrolled flow of data – especially since customers are prompted to enter identifying information to the chatbots.

This incident, and the recent Blue Yonder ransomware attack, illustrate how important robust vetting and frequent cybersecurity assessments are when collaborating with third parties.

Data leaks containing personally identifiable information put both the customer and organization at risk.

“While WotNot’s scale may be modest, this leak presents a significant security and privacy threat and impact to affected individuals. The exposed personal documents provide threat actors a complete toolkit for identity theft, medical or job-related fraud, and various other scams,” Cybernews researchers said.

On a customer level, the risk of identity theft and social engineering attacks, since personal data can be used to design phishing attacks specific to the individual, or identification documents can be used to take out loans or commit fraud.

Related posts

Bridging the cybersecurity readiness gap in the UK

7 new movies and TV shows to stream on Netflix, Prime Video, Max, and more this weekend (November 29)

Google hit with another major anti-competition lawsuit, could be forced to break up ad business

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More