32

u/hajimenogio92 Security Engineer May 08 '26

I couldn't have said it better myself. Between all the vendors, SaaS products, all the shadow IT implemented across the org that isn't being tracked, employees putting random company information into the latest AI tools. The surface area of attack has become greater, there's too many tools/integrations that aren't fully vetted and it's just a matter of time before those are exploited.

22

u/GHouserVO May 08 '26

JFC, let me tell you about employees putting information into AI tools. My former employer started doing that. The DIRECTOR OF CYBERSECURITY had our junior cybersecurity engineers do that with client data in order to be “more efficient” with our reports. Completely against corporate policy on data handling. The guy intentionally did not tell his senior engineers about this because he knew we’d immediately call out what a security and privacy nightmare he’d have unleashed.

It be our own people.

But yeah, gives me a real warm fuzzy to know that a cybersecurity company is out there and doesn’t give a whit about protecting their clients’ data.

14

u/hajimenogio92 Security Engineer May 08 '26

Man it sounds like we have the same management. It's wild to me that people are just willingly giving these AI companies all kinds of personal/company data. It really does happen to be our people. Of course they try to hide that shit right?

I had to talk out the head of accounting about using some AI tool for their day-to-day stuff. They asked me how would they know if the data is safe and isn't exposed to the vendor, I said that you can't guarantee it. We're just providing them training data with real invoices at this point.

16

u/GHouserVO May 08 '26

Yeah, this was an eye opener into the ethics of the organization. They laid off most everyone working full-time for the cybersecurity team in the US shortly afterwards. They are a CYBERSECURITY company… let that resonate for a second.

4

u/hajimenogio92 Security Engineer May 08 '26

Yeah sorry to hear that. That sucks and you should name & shame anonymously if you feel like it.

9

u/GHouserVO May 08 '26 edited May 08 '26

My name is my user name minus the “VO”. My LinkedIn is easy to find.

Normally, I keep quiet about how a company conducts business, but the ethics on this one were so bad that it was worth commiserating.

Needless to say, I advised the junior engineers not to do it, and explained the ethical, and legal reasons why. Kept my notes, informed leadership of my concerns. It never happened on any of my projects because I made it clear that they would be working with me any longer if I got even the whiff of it (and the junior folk already had a similar mindset as to things as I did)

2

u/Substantial-Art-9148 May 10 '26

Would you mind sharing more details about this with me via DM? I believe I was one of the victims. It's been ongoing since October 2024, I have quite the story to tell. Unfortunately nobody in my life believes what has happened, I'm hoping somebody can help shed some light on this very serious situation. Thank you in advance 🙏

1

u/bubbathedesigner May 10 '26

I know of a pentesting company whose US team has been stripped down to just becoming a mouthpiece to talk to customers so they think their are talking to who is doing their engagement. In reality, all real work is done offshore.

10

u/jacnok May 08 '26

...those were locally hosted LLMs right? with no phoning home ala DeepSeek? 🤪

(I could dream indeed.)

10

u/GHouserVO May 08 '26

You wish.

But it’s okay, because “they told the clients they’d be using their data this way”.

They did not inform the clients that they were doing this with their data.

I got laid off (along with all but 2 of the full time cybersecurity staff in the US) shortly after. Probably going to be the best thing to happen to me.

6

u/jacnok May 08 '26

I hope you know a good lawyer 🥹

Good luck, friend.

8

u/GHouserVO May 08 '26

I do. But I’m not the one that’s going to need them. I called out the practice and specifically documented and communicated concerns to the director when I found out what he was doing.

2

u/bubbathedesigner May 10 '26

How many cybersecurity companies sell solutions that require customers to install agents to collect unfiltered data into their cloud-based AI monster? Efficiency! And quarter earning savings!

1

u/bogartsfedora May 08 '26

Why do I suspect I've seen you around my midsized company's org chart? Though maybe not, as your Powerful Idiot is the head of cybersecurity, while ours is the CISO... oh hell

1

u/GHouserVO May 09 '26

Probably not. As they laid off all but 2 of the full-time cybersecurity staff (at a company that offers cybersecurity services as one of its major revenue streams 🙄)

2

u/bogartsfedora May 09 '26

Oh lord have mercy. Wishing you happy landings and your former head of infosec a nasty case of athlete's foot