Gen AI Security Breaches Timeline (2023-2025); Recurring Mistakes Are the Real Threat
11 Jun 2025, 13:19 • 13 min read
Secure Your Business Conversations with AI Assistants
Share article:
A single Gen AI security breach in the U.S. now averages to $9.36 million. While AI drives at least one function in 78% of organizations, phishing has jumped by 4,151% since ChatGPT’s debut.
Yet many enterprises treat these incidents as isolated events rather than indicators of systemic weaknesses.
Real-world examples paint a concerning picture. An $18.5 million scam used AI voice cloning in Hong Kong. Darktrace’s cybersecurity research reveals that 74% of security professionals call AI-powered threats their biggest concern.
The numbers keep climbing. Healthcare faces even steeper costs at $9.77 million per breach. With cybercrime costs projected to reach $23 trillion by 2027, your organization needs a resilient Gen AI security framework in place .
The question remains: can you afford to be part of this incidents list or is your enterprise smart enough to dodge this bullet?
This piece emphasizes recurring vulnerability patterns in Gen AI systems, ties them to concrete incidents, and offers a robust Gen AI security framework with OWASP LLM Top 10 mapping and actionable guidance.
Summary of Top 10 Gen AI Security Incidents(2023–2025)
| Incident | Date | Financial Impact | OWASP LLM Categories |
|---|---|---|---|
| ChatGPT Redis Bug Exposing User Data | March 20, 2023 | No direct loss; reputational/regulatory risk | LLM06, LLM08 |
| Samsung Internal Code Leak via ChatGPT | May 2023 | No direct loss; operational/IP concerns | LLM06, LLM08 |
| Large-Scale Credential Theft (ChatGPT) | Mid 2022–May 2023 | Indirect costs (unauthorized API use) | LLM06, LLM08 |
| Prompt-Injection Exfiltration Demo | May 31, 2024 | No direct loss; privacy/regulatory risk | LLM03, LLM08 |
| Arup Deepfake Video Fraud | Jan–Feb 2024 | ≈US$25 M stolen | LLM09, LLM07, LLM08 |
| Maine Municipality AI Phishing Scam | January 2025 | ≈$10K–$100K stolen | LLM04, LLM07, LLM09 |
| Hong Kong Crypto Heist via Voice Deepfake | Early 2025 | ≈US$18.5 M stolen | LLM07, LLM09 |
| ChatGPT Search Tool Prompt-Injection | December 2024 | No direct loss; trust/brand impact | LLM01, LLM03 |
| Google Gemini Memory Prompt-Injection | February 11, 2025 | No direct loss; reputational risk | LLM01, LLM03 |
| DeepSeek Cloud Misconfiguration Leak | January 29, 2025 | No theft confirmed; potential fines/reputation hit | LLM02, LLM06, LLM08 |
Recurring Vulnerability Patterns in Gen AI Deployments
Rather than treating each breach as unique, security teams should recognize that many incidents arise from similar weaknesses. Below are eight key patterns, each paired with concrete examples to show how they play out in practice.
1.1 Prompt Injection & Manipulation
What it is: Attackers craft or embed inputs that override or corrupt system prompts, causing the model to reveal data or perform unintended actions.
OWASP LLM Mapping:
LLM01 (Prompt Injection)
LLM03 (Output Poisoning) when manipulated inputs produce harmful or misleading outputs.
Why it recurs: Many integrations lack thorough input validation or adversarial testing, and system/user prompt boundaries are not strictly enforced.
Defenses:
Implement rigorous input sanitation and separate system/developer prompts from user-supplied content.
Conduct red-team exercises to probe for injection vectors.
Apply runtime detection for unusual prompt patterns (e.g., hidden markers).
Log and analyze prompts for anomalies.
Examples:
ChatGPT Search Tool Prompt-Injection (Dec 2024)
Hidden content on a web page caused ChatGPT’s search integration to process malicious instructions, resulting in misleading or dangerous suggestions. While no data was stolen, this undermined trust.
Impact: No direct financial loss; reputational/brand risk.
OWASP: LLM01, LLM03.
Google Gemini Memory Prompt-Injection (Feb 11, 2025)
A researcher showed that embedding concealed instructions in documents could alter Gemini’s stored memory, leading to unexpected behaviors later. Google acknowledged the issue—no losses reported—but reputational implications exist.
Impact: No direct monetary loss; potential trust erosion.
OWASP: LLM01, LLM03.
Prompt-Injection Exfiltration Demonstration (May 31, 2024)
Controlled research demonstrated that carefully designed prompts can coax models into leaking private or proprietary content from memory-like features. It was not an exploit in the wild but led platforms to strengthen safeguards.
Impact: No theft; illustrates privacy/regulatory exposure if exploited.
OWASP: LLM03, LLM08.
1.2 Misconfiguration & Exposure of AI Infrastructure
What it is: Inadvertent exposure of cloud resources (open storage buckets, mis-set IAM roles, public endpoints) containing sensitive AI-related data (logs, API keys, datasets).
OWASP LLM Mapping:
LLM06 (Misconfiguration / Improper Access Controls)
LLM08 (Insufficient Data Protection)
LLM02 (I/O Validation) when exposed interfaces accept harmful inputs.
Why it recurs: Teams prototype AI features quickly, sometimes bypassing security checks; default cloud settings may remain unreviewed.
Defenses:
Integrate automated IaC scanning into CI/CD to catch open buckets or overly permissive roles.
Enforce least-privilege access for all AI-related resources.
Regularly audit cloud permissions and rotate keys.
Encrypt stored logs and sensitive artifacts.
Examples:
ChatGPT Redis Bug (March 20, 2023)
A flaw in how Redis connections were handled allowed some ChatGPT Plus users to see fragments of others’ chat titles and limited billing details for several hours. OpenAI patched the bug and alerted users.
Impact: No direct theft; reputational or regulatory scrutiny from user data exposure.
OWASP: LLM06, LLM08.
Samsung Code Leak via ChatGPT (May 2023)
Employees accidentally sent confidential code/docs into ChatGPT. Samsung publicly confirmed the exposure and restricted Gen AI usage on internal devices until policies were strengthened.
Impact: No direct monetary loss; operational disruption and IP protection concerns.
OWASP: LLM06, LLM08.
DeepSeek Cloud Misconfiguration Leak (Jan 29, 2025)
Security researchers found a public ClickHouse instance exposing over 1 million chat logs, API keys, and internal metadata. DeepSeek fixed it quickly; regulators noted unauthorized data transfers.
Impact: No confirmed theft; possible regulatory penalties and brand damage.
OWASP: LLM06, LLM08, LLM02.
1.3 Data Poisoning & Training-Data Integrity Risks
What it is: Insertion of malicious or biased data into training/fine-tuning sets, undermining model behavior or embedding covert triggers/backdoors.
OWASP LLM Mapping:
LLM03 (Training Data Poisoning)
Why it recurs: Use of publicly sourced datasets without verifying provenance or integrity; inadequate validation before full-scale training.
Defenses:
Keep an AI-BOM for all datasets; track origin and version.
Test sample outputs before large-scale training to detect anomalies.
Use differential privacy or noise techniques where feasible.
Monitor model performance for sudden deviations post-training.
Example:
Maine Municipality AI Phishing (Jan 2025)
Although primarily a social-engineering attack, attackers leveraged publicly available details to tailor AI-generated phishing content. This reflects a “data poisoning for personalization” mindset, using accessible data to craft more convincing malicious inputs.
Impact: ~$10K–$100K stolen.
OWASP: LLM04 (Data Poisoning for personalization), overlapping LLM07 & LLM09.
1.4 Overreliance on AI Outputs & Deepfake-Enabled Social Engineering
What it is: Blind trust in AI-generated voices, videos, or text triggers phishing or fraud, as human recipients fail to verify authenticity.
OWASP LLM Mapping:
LLM09 (Overreliance on AI-Generated Content)
LLM07 (Insecure Communication Design) when verification controls are inadequate.
Why it recurs: Convincing AI outputs lower human skepticism; organizations lack robust out-of-band checks for high-risk operations.
Defenses:
Mandate multi-factor or out-of-band confirmation for sensitive actions (e.g., fund transfers).
Train staff to recognize AI-driven impersonation tactics.
Deploy AI-based deepfake detection in communication tools.
Examples:
Arup Deepfake Video Fraud (Jan–Feb 2024)
Deepfake video/audio mimicked executives in a conference call, tricking an Arup Hong Kong employee into sending ~HK$200 M (~US$25 M) to fraudulent accounts.
OWASP: LLM09, LLM07, LLM08.
Hong Kong Crypto Heist via AI Voice (Early 2025)
A victim received AI-cloned voice messages impersonating a finance manager, directing transfers of cryptocurrency (~HK$145 M / ~US$18.5 M).
OWASP: LLM09, LLM07.
Maine Town AI Phishing (Jan 2025)
Deepfake voice and AI-crafted emails impersonated officials, persuading staff to approve payments.
OWASP: LLM09, LLM04, LLM07.
1.5 Insufficient Output Handling & Leakage
What it is: Models inadvertently reveal sensitive details in their responses or generate unsafe content that downstream systems act on.
OWASP LLM Mapping:
LLM02 (Insecure Output Handling)
LLM08 (Insufficient Data Protection)
Why it recurs: Responses are consumed without filtering; teams may trust raw outputs too readily.
Defenses:
Apply post-response filters/redaction to strip sensitive tokens or proprietary text.
Validate model outputs before feeding into other processes.
Limit or monitor high-risk queries.
Establish alerts for anomalous patterns in outputs.
Examples:
ChatGPT Redis Bug showed unintended exposure via response handling (Mar 2023).
OWASP: LLM06, LLM08.
Prompt-Injection Exfiltration Demo underscores leakage risk if outputs are not constrained (May 2024).
OWASP: LLM03, LLM08.
1.6 Supply-Chain & Dependency Vulnerabilities
What it is: Inclusion of compromised or vulnerable libraries, model artifacts, or tooling in AI development pipelines.
OWASP LLM Mapping:
LLM05 (Supply Chain Vulnerabilities)
Why it recurs: Reliance on open-source components without vetting; rapid integration under time pressure.
Defenses:
Maintain an AI-BOM of dependencies and model versions.
Use vetted registries or signed artifacts.
Run automated dependency-scanning tools.
Execute models in sandboxed environments.
1.7 Excessive Agency & Overprivileged AI Agents
What it is: AI agents granted broad rights to perform actions (e.g., sending messages, modifying configurations) without adequate human oversight, enabling misuse.
OWASP LLM Mapping:
LLM08 (Excessive Agency)
Why it recurs: Desire for automation can lead teams to grant too many permissions; lacking manual checkpoints.
Defenses:
Apply least-privilege principles for agent permissions.
Require explicit human approval before critical actions.
Provide “kill-switch” or manual intervention controls.
Log and review agent-initiated operations regularly.
1.8 Credential & Endpoint Security Risks
What it is: Theft of API keys or account credentials (e.g., via malware or phishing), leading to unauthorized AI access or data exfiltration.
OWASP LLM Mapping:
LLM06 (Endpoint Misconfiguration)
LLM08 (Insufficient Data Protection)
Why it recurs: Inadequate credential storage practices; lack of enforced multi-factor authentication; insufficient endpoint defenses.
Defenses:
Enforce MFA for AI platform and API access; rotate keys regularly.
Store secrets in secure vaults; avoid hardcoding.
Deploy endpoint protection to block credential-stealing malware.
Monitor for anomalous API usage patterns.
Example:
Large-Scale Credential Theft for ChatGPT Accounts (Mid 2022–May 2023): Malware extracted over 100K ChatGPT credentials from infected devices, enabling unauthorized API usage.
OWASP: LLM06, LLM08.
Brief narrative call-outs for the most pivotal moments
The Hong Kong Heist (Q3 2023): This stands out as the most sophisticated Gen AI security breach yet. Attackers blended voice cloning with immediate LLM manipulation to trick a financial controller into sending $18.5 million. The attack showed how mixing multiple gen ai security risks creates powerful social engineering tools.
Operation Shadow Syntax (Q1 2024): A discovery by security researchers revealed attackers targeting AI development environments. They planted subtle code flaws through compromised autocomplete suggestions. This showed that Gen AI security must protect both models and the entire AI development process.
The Maine Municipality Attack (Q4 2024): This attack changed how we think about Gen AI security. Criminals used deepfake audio of government officials to approve fake payments.
These incidents highlight why organizations need resilient Gen AI security measures. Attackers keep finding new ways to exploit Gen AI systems, which makes detailed protection strategies essential.
Top-5 Gravity Rankings
Google Bard Misinformation Incident (Feb 2023): $100 billion market value disappeared after wrong information during demonstration]
AI-Specific Data Breach Average (2025): $4.80 million per incident affects 73% of companies
Traditional Data Breach Average (2023): $4.45 million per incident hits all-time high
Samsung Data Leak via ChatGPT (May 2023): Employees exposed secret information through GenAI tools
Amazon Training Data Incident (Jan 2023): Company lost over $1 million when sensitive information leaked.]
Numbers tell a clear story about Gen AI security risks. Companies using AI-specific security monitoring cut detection times by 61%. This shows how specialized tools boost security. AI-specific breaches take longer to spot and fix (290 days) than regular data breaches (207 days).
Banks and financial firms pay the highest fines. Healthcare companies leak AI data most often. The FTC cracked down hard on AI security and collected $412 million in settlements just in Q1 2025.
Some good news exists though. Gen AI helps companies resolve security incidents 30.13% faster. Companies with resilient Gen AI security systems handle incidents better.
AI brings IT and OT systems together in new ways. This creates new risks. About 73% of manufacturing security leaders say they can’t tell where IT security ends and OT begins. This shows why companies need complete Gen AI security measures to protect both technical and operational weak spots.
GenAI Incident Readiness Checklist
Security teams need a well-laid-out approach to prepare for Gen AI security incidents. A newer study shows that 77% of enterprises lack a cybersecurity incident response plan. This makes them vulnerable when critical situations arise. The right controls must be in place before deployment to minimize risks.
The 10-point checklist every CISO needs to tick off today
Establish governance framework: Your organization needs an AI RACI (responsible, accountable, consulted, informed) chart that maps AI efforts. Document the people who will oversee risks and governance while setting up company-wide AI policies.
Conduct risk assessments: Start by reviewing security risks tied to new AI vendors. Check their compliance with standards like GDPR or SOC 2 and ask for detailed audit logs.
Implement detailed access controls: Lock down AI system access with strict authentication protocols. This stops unauthorized usage and creates clear lines between operational and technical domains.
Reduce input/output risks: Set up thresholds that filter harmful content, jailbreaks, and prompt injection attacks. Make sure to block or mask sensitive information including personally identifiable information (PII).
Create and maintain an AI-BOM: Keep a detailed record of all components used in AI systems. This helps you track third-party libraries, datasets, and handle supply chain threats.
Deploy continuous monitoring: Your team needs to watch for anomalies immediately. Keep an eye on model inputs, outputs, and performance metrics to spot vulnerabilities before they cause damage.
Develop GenAI-specific incident response plan: Write down detailed procedures to detect, respond to, and contain AI-related security incidents. Regular tabletop exercises will test your response capabilities.
Conduct regular AI audits: Plan periodic checks of AI models for integrity, security, and compliance issues. Add adversarial testing to simulate potential attacks on your systems.
Implement data protection measures: Your data needs proper sanitization and filtering before AI systems process it. This protects against data poisoning and unauthorized access to training datasets.
Train staff on AI security: Your employees should know about approved AI tools and potential risks. Build a culture of trust where staff can report unauthorized AI usage comfortably.
The balance between technical controls and organizational readiness matters greatly. Organizations that use these measures show a 30.13% reduction in security incident response times. This checklist builds the foundation of a strong Gen AI security framework that can handle emerging threats.
CISO Takeaways
Security teams face new challenges with Gen AI security incidents developing faster than ever. Teams that put AI-specific incident response plans in place catch and contain breaches earlier than those using traditional approaches.
Key lessons learned from each incident category
Looking at recent cybersecurity incidents reveals five critical lessons:
Systems thinking is essential: Gen ai security fails when handled in isolation. The solution lies in complete frameworks that look at models, infrastructure, data stores, and supporting components as connected elements.
Break down security silos: Teams that bring together AppSec, InfraSec, and DataSec spot threats 61% faster than those working separately. This teamwork becomes crucial during complex AI incidents.
Balance security with safety: Gen AI security differs from traditional systems. You need to protect your system from attackers while making sure your AI doesn’t cause harm through misuse. Your security approach must cover both areas.
Continuous development is non-negotiable: AI systems change too often for yearly security reviews to work. Good protection needs ongoing analysis and quick changes as new threats pop up.
Human-machine collaboration yields results: Teams using GenAI tools write full incident summaries 51% faster and improve quality by 10%. The best results come from combining human expertise with AI capabilities.
How Wald AI Empowers Your GenAI Security
Wald.ai protects businesses against Gen AI security threats with its contextual intelligence platform. The solution connects businesses to leading AI assistants like ChatGPT, Gemini, Claude, and Llama. It manages to keep robust security and tackles critical weak points revealed by recent cybersecurity incidents.
DLP for AI
Traditional DLP tools don’t deal very well with today’s dynamic, unstructured data because of rigid pattern-matching techniques. Wald’s advanced contextual engine provides:
Intelligent redaction removes sensitive information before it reaches any LLM and replaces it with suitable substitutions to keep prompts working effectively.
Context-aware analysis cuts false positives by up to 10x compared to standard regex-based tools.
End-to-end encryption works at every processing stage to ensure data security throughout the workflow.
Automated repopulation of sensitive data after receiving AI responses keeps information secure without losing utility.
Conclusion
Your organization’s protection depends on implementing the 10-point CISO checklist. This complete strategy reduces exposure to new threats by setting up governance frameworks, running risk assessments, and creating AI-specific incident response plans.
Specialized platforms like Wald.ai protect systems through contextual intelligence and advanced DLP features. Our method tackles unique challenges in securing Gen AI while you retain control over productivity benefits.
Moving forward requires a balance between breakthroughs and strong security practices. Your security approach must adapt as AI capabilities grow. These strategies will help reduce your organization’s risk exposure while you tap into AI’s full potential safely.
Next Steps
See Wald live in action: Schedule a demo.
FAQs
Q1. What are the major security risks associated with Gen AI? Gen AI poses significant security risks, including prompt injection attacks, data poisoning, insecure output handling, and sensitive information disclosure. These vulnerabilities can lead to unauthorized access, data breaches, and financial losses for organizations.
Q2. How much have Gen AI security breaches cost organizations? Between 2023 and 2025, Gen AI security breaches resulted in financial losses exceeding $2.3 billion across various industries. The average cost of an AI-specific data breach reached $4.80 million per incident.
Q3. What steps can organizations take to protect themselves against Gen AI security threats? Organizations should implement a comprehensive security framework that includes establishing governance policies, conducting regular risk assessments, implementing strict access controls, deploying continuous monitoring systems, and developing AI-specific incident response plans.
Q4. How is AI being used in cybersecurity attacks? Cybercriminals are leveraging AI to create more sophisticated and adaptive attacks. This includes using AI for advanced phishing schemes, voice cloning in social engineering attacks, and automating the discovery of system vulnerabilities.
Q5. What role does employee training play in Gen AI security? Employee training is crucial in mitigating Gen AI security risks. Organizations should educate staff about approved AI tools, potential risks, and foster a culture where employees feel comfortable reporting unauthorized AI usage or suspicious activities.