Habr AI→ original

Employees are leaking corporate data into ChatGPT: volume grew 30-fold in a year

Solar Group analyzed the traffic of 150 Russian companies across the public sector, finance, and IT, and found that the volume of corporate data employees…

AI-processed from Habr AI; edited by Hamidun News
Employees are leaking corporate data into ChatGPT: volume grew 30-fold in a year
Source: Habr AI. Collage: Hamidun News.
◐ Listen to article

Employees Leak Corporate Data to ChatGPT: Volume Surged 30-Fold in a Year

Holding company "Solar" analyzed traffic from 150 Russian organizations and found: the volume of corporate data that employees independently send to public AI services has grown approximately 30-fold — while roughly 60% of companies have no internal rules on this matter.

What exactly goes to foreign data centers

The scheme is simple: you need to extract a summary from a contract — you upload it to ChatGPT. You need to process a client list — you insert it into a spreadsheet with AI functions. The result is good, it takes less time. The problem is that along with documents, the following goes to a third-party data center:

  • Employees' and clients' names
  • Passport data and tax identification numbers
  • Bank details and transaction amounts
  • Commercial terms and internal correspondence
  • Information constituting trade secrets

Usually the service doesn't show any warnings. Formally, the user accepted the terms stating that data can be used to train the model — but few people read that.

Where real risk lies and where it's just scaremongering

Major AI providers declare that they don't use corporate data from API mode to train models. But for Russian companies, this doesn't eliminate the problem.

"Approximately 60% of companies have no internal rules on this matter at all: the process is not controlled either technically or on paper," — from

Solar's research.

Real risks break down into three directions.

Regulatory. Under Russian law 152-FZ "On Personal Data," transferring personal data to third parties without the subject's consent and without a proper contract is a violation. As of May 30, 2025, penalties for repeated violations for legal entities reach 15 million rubles.

Commercial. If a contract with a client specifies confidentiality, and an employee sent a document to ChatGPT — the company violated its contractual obligation. The counterparty has the right to demand compensation for damages.

Reputational. Data leaks of partners through careless AI use become grounds for contract termination.

What companies should do right now

The good news: solutions exist, and they don't require banning AI.

The first step is an internal policy: a one-page document listing what data can be processed in external AI services and what cannot. Without this, the company has no tool for disciplinary action and no argument in a conversation with regulators.

The second step is employee training. Not to prohibit, but to explain: what exactly is personal data and trade secrets, why it cannot be uploaded to a public service, and what corporate alternatives exist.

The third step is technical measures: DLP systems that block or record the transfer of certain categories of data outside the perimeter; corporate AI tools on your own infrastructure or in a Russian cloud with a provider that has signed a data processing agreement under 152-FZ.

What this means

Wholesale transition of employees to AI tools cannot be stopped — and shouldn't be. But a 30-fold increase in data transmission volume in one year suggests that most companies missed the moment when this ceased to be a private initiative and became a systemic corporate risk. Rules are needed not "sometime," but right now.

Frequently asked questions

Is a company at risk of a fine if an employee themselves uploaded data to

ChatGPT?

Yes, potentially. Under 152-FZ, responsibility for processing personal data rests with the operator — that is, the company, not the specific employee. If the fact of transmitting personal data to a third party is established, the regulator has the right to impose a fine on the legal entity. As of May 30, 2025, for repeated violations it reaches 15 million rubles.

Is there a safe alternative to public AI services?

Yes: corporate AI solutions deployed on your own servers or in a Russian cloud with a provider that has concluded a data processing agreement. In this case, data does not leave the controlled perimeter.

ZK
Hamidun News
AI news without noise. Daily editorial selection from 400+ sources. A product by Zhemal Khamidun, Head of AI at Alpina Digital.

Want to stop reading about AI and start using it?

AI News is a curated feed of AI/tech news. Hamidun Academy teaches you to use AI systematically in your work.

What do you think?
Loading comments…