Hemant Karekar

Your Next Data Breach Won’t Be a Hack. It Will Be a Prompt.

Your Next Data Breach Won’t Be a Hack. It Will Be a Prompt.

Written by

Hemant Karekar

in

Everyone is worried about hackers, but the bigger risk today are your own employees.

I came across an insightful article highlighting a critical blind spot under the DPDP Act — how employees casually using AI tools may be triggering massive compliance risks.

And honestly, this is something most organisations are still underestimating.

From a legal-tech perspective, the issue is not just “data leakage.”
It is loss of control.

When an employee pastes:

  • customer data
  • source code
  • financial projections

into an external AI tool, that data is no longer within the organisation’s control.

Under the DPDP Act, that is not a mistake.
It is potentially a data breach.

This is not hypothetical. It’s already happening.

  • Samsung (2023) – Engineers leaked sensitive semiconductor data by pasting code into ChatGPT for debugging, resulting in immediate internal restrictions on AI usage.
  • Amazon (reported internally) – Employees were warned not to input confidential information into AI tools after discovering outputs resembling internal data.
  • JPMorgan Chase – Restricted employee access to ChatGPT due to concerns over data leakage and regulatory exposure.

Where the real problem lies

Most companies are building strong external defenses:

  • Firewalls
  • Intrusion detection
  • Cyber insurance

But internally, there is:

  • Zero monitoring of AI usage
  • No employee awareness
  • No structured AI governance

This creates a compliance illusion
You feel secure, but your data is already leaving your system.

The Legal-Tech Gap

The law is clear.
The technology is evolving.
But organisations are stuck in between.

AI tools are:

  • Fast
  • Useful
  • Embedded into workflows

So banning them doesn’t work.

But not governing them?
That’s where ₹200–250 crore risks start appearing.

My Take

The future of compliance is not just data protection.
It is AI usage governance.

Organisations need to move from:
“Can employees use AI?” to “How can employees use AI safely?”

Because today, the biggest data breach is not an attack. It’s a single well-written prompt.

Final Thought

The DPDP Act has shifted the burden completely.

You are not just responsible for securing your systems. You are responsible for how your people interact with technology.

And in the AI era, your biggest vulnerability is no longer your firewall — it’s your workflow.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts