AI chatbot provider exposes 346,000 customer files, including ID documents, resumes, and medical records

Researchers have discovered a huge Google Cloud Storage bucket, found freely accessible on the internet and containing a treasure trove of personal information.

AI startup WotNot provides companies with the ability to create their own customized chatbot. The company reportedly has 3,000 customers including some household family names.

But the way its solution is set up introduces an extra link in the chain in the flow of personally identifiable information (PII) from the customer to the company that deployed the chatbot, leaving an additional risk of exposure.

Given the variety in the data the researchers found in the 346,381 files, they suspect that it stems from several WotNot customers. Some of the records that were found included:

Identification documents including passports, which contain information like full names, dates of birth, passport numbers, and other information cybercriminals love to get their hands on.
Medical records including diagnoses, treatment history, test results and other medical information that should be private.
Resumes which include employment history, addresses, education, and contact data like email addresses and phone numbers.

All in all, if a group of cybercriminals finds data like that they can deploy all sorts of schemes to defraud the people whose information they found—ranging from phishing mails that look convincing because they include personal information, to identity theft.

In a statement, WotNot said:

“The cause for the breach was that the cloud storage bucket policies were modified to accommodate a specific use case. However, we regretfully missed thoroughly verifying its accessibility, which inadvertently left the data exposed.”

The “specific use case” seems to be that these customers were using the “free plan” which apparently comes with no security.

WotNot clarified:

“For enterprise customers, we provide private instances to ensure security and compliance standards are strictly adhered to.”

WotNot also said it typically recommends that its customers delete such files from the server after they have been received and forwarded to their own systems. I would recommend that WotNot customers provide their own customers with a method to send them such files directly.

We have already seen way too many cases where leaks in the supply chain have exposed data from people who had never heard of the company that leaked them.

If anything, the incident shows the importance of checking where your data is going before providing companies with sensitive personal information. But it also demonstrates it’s not always clear to the end user whether there are extra links in the chain to the company they are dealing with.

If you do get a chance, don’t send sensitive data to a chatbot, but ask for a safe company email address instead.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.