← Post-Mortem Library
Code Data Security Enterprise

When engineers pasted
proprietary code into ChatGPT

Samsung's semiconductor engineers treated ChatGPT like a debugging colleague. In three weeks, they pasted proprietary source code, internal meeting notes, and fab test sequences into a service that ships every prompt to OpenAI's servers. The data was gone the moment they hit send.

Date
March – April 2023
Company
Samsung Electronics
Impact
Trade secret exposure
Read
4 min
What happened

Three leaks in under a month

In early 2023, Samsung's semiconductor division — the part of the company that designs and fabricates the world's most advanced memory chips — gave engineers access to ChatGPT. The idea was reasonable: use it to debug code, summarize documents, speed up engineering work.

Within twenty days, three separate engineers had pasted proprietary data into the chat. The first submitted a snippet of internal source code and asked ChatGPT to check it for errors. The second pasted another chunk of source code, this time requesting optimization. The third fed in internal meeting notes and asked for a transcript summary.

Every one of those prompts left Samsung's network. ChatGPT is not a local tool — every input is transmitted to OpenAI's servers, where it can be logged, used for training, and stored for review. Samsung had no controls in place between its engineers and the external API.

Once internal security discovered the incidents, the response was immediate and absolute: Samsung banned ChatGPT company-wide, warning that any future use would result in disciplinary action "up to and including termination."

Early Mar 2023
Access granted. Samsung's semiconductor division opens ChatGPT access to engineers for debugging, optimization, and document summarization. No outbound content controls configured.
Mar 2023
Incident 1 — source code. An engineer pastes a proprietary source code snippet into ChatGPT and asks it to identify errors. Data leaves Samsung's network.
Mar 2023
Incident 2 — source code. A second engineer submits another section of internal source code requesting optimization. The code is transmitted to OpenAI servers.
Mar 2023
Incident 3 — meeting notes. A third engineer pastes internal semiconductor meeting notes and asks ChatGPT to summarize. Confidential business context leaves the company.
Apr 2023
Company-wide ban. Internal security discovers the incidents. Samsung bans ChatGPT on all company devices and networks — one of the first major corporations to do so publicly.
The leak

What the prompts actually contained

AI
ChatGPT — external service Mar 2023
ENG
Proprietary data

Please find the bug in this code:

// CONFIDENTIAL — SAMSUNG SEMICONDUCTOR
[REDACTED PROPRIETARY CODE — source snippet]

def [REDACTED](self, wafer_id):
    ...
[REDACTED PROPRIETARY CODE — source snippet]
AI

I'd be happy to help. Looking at your code, I can see the issue is on line [REDACTED]...

Note: the entire prompt — code, comments, function names — has now been transmitted to OpenAI servers and may be stored for model training or human review.

Highlighted text = proprietary source code and confidential markers. Real code has been redacted here; the original prompts contained live internal source from Samsung's semiconductor division.
The impact

What it cost

3 incidents
Three separate proprietary-data leaks in under twenty days before any controls caught them.
Company ban
Samsung banned ChatGPT company-wide on all devices and networks after the incidents were discovered.
Ban wave
Apple, JPMorgan, Verizon, and Amazon followed with ChatGPT and generative-AI restrictions of their own.

Samsung told staff to take precautions when using ChatGPT and other external AI services — and warned that the company could collect and store prompts sent through its networks. The data that had already left was not coming back.

— Reported across Bloomberg and The Economist, April 2023

Sources — verified via public record
Bloomberg The Economist Reuters TechCrunch
Bloomberg — Mar 31, 2023 The Economist — Apr 20, 2023 Reuters — May 2, 2023 TechCrunch — Mar 31, 2023
The fix

Three review criteria that would have caught this

Each criterion below maps to a real review task you can configure in the sample builder. A certified reviewer — or a deterministic scan — checks every outbound AI input against these before it leaves your network.

DATA-001

Scan for proprietary or classified content before external API calls

Every outbound prompt to a third-party model is scanned for confidentiality markers, internal code patterns, and document classifications. If the prompt contains proprietary or classified material, it is blocked before transmission.

Reviewer instruction
"Does the outbound prompt contain proprietary/classified markers (confidential, internal use, trade secret)? If yes → FAIL with reason 'proprietary content to external service' and block transmission."
DATA-002

Block source code from unclassified repositories

Source code patterns are detected structurally — function definitions, class declarations, imports, package declarations, include directives. Any code that has not been explicitly classified as safe-to-share is blocked from leaving the network.

Reviewer instruction
"Does the outbound prompt contain source-code patterns (def/class/import/#include/package)? If yes → confirm against approved-source list. If not approved → FAIL with reason 'unclassified source code to external API'."
DATA-003

Data-loss prevention check on all outbound AI inputs

A generalized DLP layer applies to every outbound AI input — not just code. Meeting notes, business strategy, roadmaps, and revenue figures are all flagged. If the input describes internal business context, it does not leave the company.

Reviewer instruction
"Does the outbound prompt contain internal business context (meeting notes, agenda, strategy, roadmap, revenue)? If yes → FAIL with reason 'internal business context to external AI service' and require local-only model."
Try it yourself

Paste any outbound AI prompt. See what gets flagged.

This is a simplified version of what an outbound scan sees. Paste a prompt you'd send to an external AI service — yours or a hypothetical engineer's — and run the check. The criteria above are applied automatically.

Don't let your data leave the building

Every prompt is a potential leak. Put certified reviewers — and deterministic scans — between your engineers and external AI services. 50% off your first $10 — live in under 5 minutes.

Get 50% off Try the sample builder
No credit card required Setup in 5 minutes Cancel anytime
50% off your first $10 — no commitment Get 50% off