In January 2026, an investigation revealed that the acting director of CISA, the agency responsible for protecting America's entire digital infrastructure, had uploaded sensitive government documents to a public cloud platform between July and August 2025. Not a junior staffer. Not an intern. The top cybersecurity official in the country.

He had even requested special permission to use the tool. Then he ignored the protocols and used the public consumer version anyway. Four documents marked "for official use only" went up. The uploads went undetected for months before cybersecurity sensors flagged the activity and an investigation was launched.

If the top cybersecurity official in the United States can't follow basic document handling rules, ask yourself this: what is your accountant doing with your tax returns?

The Numbers Nobody Wants to Hear

This isn't speculation. A ManageEngine study (reported by Kiteworks) found that 93% of employees have shared confidential data with unapproved online tools. Not 9%. Ninety-three.

That number includes client information. Thirty-two percent of those employees specifically shared confidential client data. Another 37% exposed private internal company records. And the trend is accelerating. According to Cyberhaven research, in 2023 about 11% of data entered into cloud-based tools was considered sensitive. By early 2025, that figure had tripled to 34.8%.

Meanwhile, 83% of companies have no technology in place to block or even detect these uploads. They rely on training sessions, email reminders, and hope. Only 9% have governance systems that actually work.

The gap between what companies think is happening and what is actually happening is enormous. One-third of executives believe their organization tracks all usage of external tools. The real number that do? Nine percent.

Samsung: Three Engineers, Twenty Days, Permanent Damage

In March 2023, Samsung discovered that three engineers had uploaded proprietary data to a cloud-based tool over a span of just twenty days.

The first entered Samsung's source code to debug a problem. The second recorded a company meeting, transcribed it, then uploaded the transcript to generate meeting notes. The third submitted semiconductor test data for optimization.

Samsung had already warned employees not to do this. They did it anyway. The use cases were mundane. Fixing a bug. Taking meeting notes. Running a test. Routine work that happens in every office, every day.

Samsung's internal assessment was blunt: the data is now permanently stored on external servers. It is, in their words, "impossible to retrieve."

Samsung restricted all inputs to 1,024 bytes per prompt, roughly a short paragraph. Then began building an internal system to avoid any reliance on external platforms. But the damage was done. Source code. Internal meetings. Chip manufacturing data. All sitting on servers Samsung does not control, subject to retention policies Samsung did not write.

What Actually Happens When You Upload a Document?

Most people assume that when they upload a file to an online platform, use it, and close the tab, the file is gone. It is not.

Consumer versions of most cloud-based tools retain uploaded data. That content can be used to improve the platform's commercial products. Prompts, documents, uploaded files, all of it may be fed back into the system. Deleting your account does not guarantee deletion of your data.

Look at the terms of service. If you see phrases like "improving the product," that means the vendor may use your inputs for training. "Aggregated and anonymized" sounds safe, but stripped data can still reveal proprietary patterns. "Perpetual" or "irrevocable" license means the vendor has unlimited rights to your content. Forever.

The US Federal Trade Commission issued a warning in early 2024: companies that promise not to use customer data and then do so are breaking the law. "There is no exemption," the FTC wrote. Zoom changed its terms of service to enable data use for product training. WeTransfer did the same. Both faced backlash. Neither faced meaningful consequences.

And here is the part that should concern you most. In 2024, security researchers found over 225,000 stolen login credentials for cloud tool accounts being sold on dark web markets. These were harvested by malware. Once a buyer logs in with stolen credentials, they get full access to the account's complete history. Documents, queries, shared data. Everything.

Your uploaded tax return. Your client's medical record. Your company's financial statements. All of it, one stolen password away from exposure.

The Legal Reality

Regulators are catching up. Amendment 13 to the Privacy Protection Law came into force on August 14, 2025, and changed the rules significantly.

Individuals can now file civil claims for privacy violations without proving they suffered actual harm. Statutory damages run up to NIS 100,000 per person. Administrative fines can exceed USD 500,000. The Privacy Protection Authority can suspend databases and publish violators' names publicly for up to four years.

This applies to every organization handling residents' data under the law, regardless of where the organization is located. Cloud providers face the same security and penetration testing requirements as on-premises systems. If your service provider uploads your documents to an external cloud platform without proper authorization, you, the business owner, may be the one facing the consequences.

The law doesn't care that your accountant was just trying to save time. It doesn't care that the online tool was free and convenient. It cares about where the data ended up and whether you had control over it.

The Free Tool Trap

Think about the tools professionals use every day. Online PDF converters. Cloud-based OCR services. Free document translation sites. All of them require you to upload your file to someone else's server. None of them come with terms of service you've actually read. And all of them retain some or all of your data for some period of time.

The European Data Protection Board's 2024 report on OCR technologies identified significant risks with cloud-based document processing. Input data is transmitted via API to the vendor's cloud and can be temporarily stored. The EDPB emphasized the need for thorough risk assessment before using third-party services for sensitive documents, citing insider threat and vendor breach risks. For high-consequence data, on-device or self-hosted solutions reduce that exposure significantly.

According to LayerX's 2025 enterprise report, nearly 40% of files uploaded to online tools contain personally identifiable information or payment card data. And 71.6% of that access happens through personal accounts with zero company oversight or audit trail.

Gartner predicted that 99% of cloud security incidents through 2025 would be the customer's fault. Not the vendor. The customer. The person who uploaded the document.

The Question You Should Be Asking

The average data breach at a professional services firm costs $5.08 million, according to IBM's 2024 research. A credential-based breach takes an average of 328 days to identify and contain. Nearly a full year before you even know it happened.

Sixty-eight percent of all breaches involve human error, according to Verizon's 2024 DBIR. Not sophisticated attacks. Not nation-state hackers. Someone uploading something they shouldn't have, to a platform they didn't fully understand, under terms they never read.

Before you upload your next document, before you paste your next block of text into an online service, before you hand your files to a professional who might do the same, ask three questions:

Where is this going? Who can see it? And can I get it back?

If you can't answer all three, you already have a problem.

Sources

[1] TechCrunch, "Trump's acting cybersecurity chief uploaded sensitive government docs to ChatGPT," January 28, 2026. https://techcrunch.com/2026/01/28/trumps-acting-cybersecurity-chief-uploaded-sensitive-government-docs-to-chatgpt/

[2] Kiteworks, "2025 Sensitive Content Communications Report" (citing ManageEngine study), 2025. https://www.helpnetsecurity.com/2025/09/09/employees-ai-tools-sensitive-data/

[3] Cyberhaven, "Shadow AI: How Employees Are Leading the Charge in AI Adoption and Putting Company Data at Risk," 2025. https://www.cyberhaven.com/blog/shadow-ai-how-employees-are-leading-the-charge-in-ai-adoption-and-putting-company-data-at-risk

[4] DPEX Network, "Lessons Learned from Samsung's Confidential Data Leak to ChatGPT," 2023. https://www.dpexnetwork.org/articles/lessons-learned-samsungs-confidential-data-leak-to-chatgpt

[5] Zero Day Law, "What You Need to Know Before Uploading Internal Documents to AI Tools," 2024. https://www.zerodaylaw.com/blog/what-to-know-before-you-upload-company-documents-to-ai-tools

[6] US Federal Trade Commission, "AI Companies: Uphold Your Privacy and Confidentiality Commitments," January 2024. https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/01/ai-companies-uphold-your-privacy-confidentiality-commitments

[7] eSecurity Planet, "Shadow AI and ChatGPT DLP" (citing dark web credential findings), 2025. https://www.esecurityplanet.com/news/shadow-ai-chatgpt-dlp/

[8] Safetica, "Israel's Amendment 13: What the New Data Protection Law Means for Your Business," 2025. https://www.safetica.com/resources/guides/israel-s-amendment-13-what-the-new-data-protection-law-means-for-your-business

[9] European Data Protection Board, "AI Risks in Optical Character Recognition," 2024. https://www.edpb.europa.eu/our-work-tools/our-documents/support-pool-experts-projects/ai-risks-optical-character-recognition_en

[10] LayerX, "Enterprise AI and SaaS Data Security Report," 2025.

[11] IBM, "Cost of a Data Breach Report," 2024.

[12] Verizon, "2024 Data Breach Investigations Report (DBIR)," 2024.

[13] Gartner, cloud security incident prediction (99% customer fault), 2025.

[14] LeanLaw, "AI Privacy Risks: Protecting Client Data in 2025," 2025. https://www.leanlaw.co/blog/what-are-the-data-privacy-implications-of-using-ai-tools-with-confidential-client-information/