run.veric.dev
◆ Design partner previewCompliance Vault — sample data, real contracts.
Schedule a DP conversation →

Layout, contracts, and data shapes are real. The data shown is illustrative. Real customer data flows live with our first design partner.

Incident replay — counterfactual rendering.

T9 · audit-ledger · counterfactual

Samsung internal-data leak via ChatGPT

Within ~20 days of Samsung Semiconductor relaxing its ChatGPT-use policy in March 2023, three confidential-data leak events were attributed to employee prompts: a ~6,000-line semiconductor source code dump, equipment yield/sensor data, and an internal meeting recording. Samsung concluded the data was effectively unrecoverable from third-party model checkpoints and banned generative AI on company devices.

Verdict shape that would have refuted

Tier T6
Flow contract
flow(classification: internal_only ∨ trade_secret) ∉ flow(external_model_api_egress)
Fixture that exercises this contract
/examples-ai/13-embedding-leakage-from-forbidden-source/manifest.json

The 'product-search-index-v2' fixture demonstrates the 'forbidden source flows into external sink' contract — Samsung's case is the same shape with 'sink' bound to external model vendor.

Regulatory anchor
Trade-secret common law; NIST AI 600-1 §3.5 Data-Privacy
Date the vault would have flagged
2023-03 — at DLP-rule-deploy time, when ChatGPT use was first permitted

What broke instead

Samsung's existing DLP controls were focused on email and file uploads, not LLM-API egress. The 'internal-only' classification did not propagate to the API call submitting the data to a third-party model. The new sink class — external model vendor — had not been enumerated in the policy graph.

Public outcome · Three confirmed leak events, including ~6,000 lines of irrecoverable semiconductor source code; full company-wide ban on generative AI tools; canonical case study cited in NIST AI 600-1.

Cross-references