{"id":25525,"date":"2024-12-03T14:10:07","date_gmt":"2024-12-03T22:10:07","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/12\/03\/news-19255\/"},"modified":"2024-12-03T14:10:07","modified_gmt":"2024-12-03T22:10:07","slug":"news-19255","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/12\/03\/news-19255\/","title":{"rendered":"AI chatbot provider exposes 346,000 customer files, including ID documents, resumes, and medical records"},"content":{"rendered":"\n<p>Researchers have <a href=\"https:\/\/cybernews.com\/security\/wotnot-exposes-346k-sensitive-customer-files\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">discovered<\/a> a huge Google Cloud Storage bucket, found freely accessible on the internet and containing a treasure trove of personal information.<\/p>\n<p>AI startup WotNot provides companies with the ability to create their own customized chatbot. The company reportedly has 3,000 customers including some household family names. <\/p>\n<p>But the way its solution is set up introduces an extra link in the chain in the flow of personally identifiable information (PII) from the customer to the company that deployed the chatbot, leaving an additional risk of exposure.<\/p>\n<p>Given the variety in the data the researchers found in the 346,381 files, they suspect that it stems from several WotNot customers. Some of the records that were found included:<\/p>\n<ul>\n<li>Identification documents including passports, which contain information like full names, dates of birth, passport numbers, and other information cybercriminals love to get their hands on.<\/li>\n<li>Medical records including diagnoses, treatment history, test results and other medical information that should be private.<\/li>\n<li>Resumes which include employment history, addresses, education, and contact data like email addresses and phone numbers.<\/li>\n<\/ul>\n<p>All in all, if a group of cybercriminals finds data like that they can deploy all sorts of schemes to defraud the people whose information they found\u2014ranging from phishing mails that look convincing because they include personal information, to <a href=\"https:\/\/www.malwarebytes.com\/identity-theft\">identity theft<\/a>.<\/p>\n<p>In a statement, WotNot said:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe cause for the breach was that the cloud storage bucket policies were modified to accommodate a specific use case. However, we regretfully missed thoroughly verifying its accessibility, which inadvertently left the data exposed.\u201d<\/p>\n<\/blockquote>\n<p>The \u201cspecific use case\u201d&nbsp; seems to be that these customers were using the \u201cfree plan\u201d which apparently comes with no security.<\/p>\n<p>WotNot clarified:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cFor enterprise customers, we provide private instances to ensure security and compliance standards are strictly adhered to.\u201d<\/p>\n<\/blockquote>\n<p>WotNot also said it typically recommends that its customers delete such files from the server after they have been received and forwarded to their own systems. I would recommend that WotNot customers provide their own customers with a method to send them such files directly.<\/p>\n<p>We have already seen way too many cases where leaks in the supply chain have exposed data from people who had never heard of the company that leaked them.<\/p>\n<p>If anything, the incident shows the importance of checking where your data is going before providing companies with sensitive personal information. But it also demonstrates it\u2019s not always clear to the end user whether there are extra links in the chain to the company they are dealing with.<\/p>\n<p>If you do get a chance, don\u2019t send sensitive data to a chatbot, but ask for a safe company email address instead.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\" \/>\n<p><strong>We don&#8217;t just report on threats &#8211; we help safeguard your entire digital identity<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Protect your\u2014and your family&#8217;s\u2014personal information by using <a href=\"https:\/\/www.malwarebytes.com\/identity-theft-protection\">identity protection<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/12\/ai-chatbot-provider-exposes-346000-customer-files-including-id-documents-resumes-and-medical-records\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> AI chatbot provider WotNot left a cloud storage bucket exposed that contained almost 350,000 files, including personally identifiable information. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[15764,12798,32,5897,17237,32193],"class_list":["post-25525","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-chatbot","tag-cloud-storage","tag-news","tag-privacy","tag-supply-chain","tag-wotnot"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25525"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25525\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25525"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}