Case Study: Samsung Semiconductor Leak
Three separate incidents at Samsung Semiconductor in early 2023 exposed proprietary code, manufacturing secrets, and strategic plans through ChatGPT — all within a single month of lifting the ban on its use.
Samsung Incident Dissector
In March 2023, Samsung Semiconductor lifted its internal ban on ChatGPT, allowing engineers to use the tool. Within 20 days, three separate data leaks occurred. At the time, ChatGPT trained on user inputs by default — meaning every prompt became part of OpenAI\'s training data.
What Happened
A semiconductor engineer pasted proprietary source code for a chip fabrication measurement program into ChatGPT, asking it to identify and fix a bug. The entire codebase — including Samsung\'s proprietary semiconductor manufacturing logic — was transmitted to OpenAI\'s servers.
Data Exposed
- Proprietary semiconductor source code
- Chip fabrication measurement algorithms
- Internal software architecture and logic
Consequence
Samsung banned ChatGPT company-wide and began developing an internal AI tool. Engineers found to have leaked data faced disciplinary action. Samsung also implemented a 1,024-byte limit on prompts as an interim measure.
Preventive Control
Endpoint DLP that detects and blocks code patterns being pasted into web-based AI tools. Combined with an approved internal AI tool with data residency controls so engineers have a safe alternative.
Key Insight
All three incidents occurred within 20 days of Samsung lifting its ChatGPT ban. Employees were not malicious — they were trying to be more productive. Without guardrails, good intentions lead to catastrophic data exposure. This is exactly the Shadow AI risk every defence organisation faces.
Lessons Learned Builder
For each incident type below, select all controls that would have helped prevent or mitigate the data leak. Click Check Answers to see how you did.
Incident 1: Code Debugging Leak
Which controls would have prevented the source code exposure?
Incident 2: Yield Data Leak
Which controls would have prevented the manufacturing data exposure?
Incident 3: Meeting Transcript Leak
Which controls would have prevented the strategic plans exposure?
Defence parallel: If Samsung engineers — highly trained technical staff at a security-conscious company — leaked data within 20 days, imagine the risk when defence personnel use unapproved AI tools with no DLP or training. The ISM controls exist precisely to prevent this scenario.