A sensitive data breach at an Indian AI startup has compromised approximately 350,000 confidential records, leaving them exposed and vulnerable online, following a failure to secure the information properly.
A data breach occurred when Ahmedabad-based WotNot inadvertently exposed sensitive personal records, including scanned passports, ID documents, medical files, resumes, travel plans, and more, by leaving them unsecured on an improperly configured Google Cloud Storage container.
Researchers at a prominent institution announced groundbreaking findings on August 27, 2024. The Google Cloud Storage bucket was found to contain a staggering 346,381 records, all publicly accessible with no password protection required.
The egregious lapse in basic security is staggering, particularly given that the unsecured storage bucket held sensitive documents that could facilitate identity theft with ease.
Despite alerting WotNot to the issue on September 9th, followed by multiple follow-up emails sent to various email addresses, it took over two months for the company to remediate the security vulnerability.
The security alert issued by WotNot noted that an unsecured cloud storage bucket had been exploited by free-tier customers of its service providers, with the initial compromise resulting from modifications made to the bucket’s policies to support a specific use case. Despite our best efforts, we failed to thoroughly verify the content’s accessibility, unintentionally leaving crucial information hidden.
The AI chatbot firm swiftly sought to allay concerns among its enterprise clientele, affirming that no sensitive information had been compromised during the security incident.
“For enterprise clients, we provide tailored solutions that guarantee the highest standards of safety and compliance are meticulously adhered to.”
It is irrelevant whether you are a non-paying consumer of WotNot or an organization like Merck or the University of California, which appears among its list of paying clients. It’s unacceptable that anyone’s privacy can be treated with such disregard.
I suspect WotNot wasn’t highlighting one of several perks of upgrading to a paid subscription, rather than sticking with the free version, as there was no guarantee of security in place for non-paying customers.
My recommendation? Avoid sharing sensitive information with AI chatbots, as there’s no guarantee where it will be stored or what might be done with it; even services like WotNot may not adequately safeguard your data from unauthorized access.
