Copy-and-Paste Now Exceeds File Transferring as the Top Corporate Data Exfiltration Vector

Slashdot reader spatwei writes: It is now more common for data to leave companies through copying and pasting than through file transfers and uploads, LayerX revealed in its Browser Security Report 2025.

This shift is largely due to generative AI (genAI), with 77% of employees pasting data into AI prompts, and 32% of all copy-pastes from corporate accounts to non-corporate accounts occurring within genAI tools.

'Traditional governance built for email, file-sharing, and sanctioned SaaS didn't anticipate that copy/paste into a browser prompt would become the dominant leak vector,' LayerX CEO Or Eshed wrote in a blog post summarizing the report.
"GenAI now accounts for 11% of enterprise application usage," notes this article from SC World, "with adoption rising faster than many data loss protection (DLP) controls can keep up. Overall, 45% of employees actively use AI tools, with 67% of these tools being accessed via personal accounts and ChatGPT making up 92% of all use..."

"With the rise of AI-driven browsers such as OpenAI's Atlas and Perplexity's Comet, governance of AI tools' access to corporate data becomes even more urgent, the LayerX report notes."

Bad OpSec

[PPH]

... combined with a large dose of IT illiteracy.

Where do people think data pasted into a web page form goes? Never mind the AI part, being able to read simple queries will give outsiders some intelligence about the kinds of projects and technologies your organization is working with. A foreign intelligence organization posing as an on-line seller can buy the right set of ad words and really go fishing for some interesting information.

Re:

[Tony Isaac]

Combined with employees simply not caring about the "privacy" of company information.

Re:

[martin-boundary]

That's not in the job description. Companies need to dial back the expectations on employees. Especially if they treat their employees as disposable contractors.

Re:

[Tony Isaac]

Technically, it *is* in the job description. Most employers these days make employees sign an NDA which specifically requires them to "care" about the privacy of company information, and spells out consequences if they do leak information, which can generally include termination and even lawsuits.

Re:

[fluffernutter]

I'm really not sure how AI can be useful for business use if you don't copy sensitive information. Say you are having AI assist you with a long script. If you have to blank out every IP address, hostname, etc before getting that assistance, then the AI quickly becomes less worthwhile. To put it another way, why would my company beg me to use AI if they didn't want that stuff in there? It seems like unrealistic expectations are being put on the employee here, as usual.

Re:

[test321]

why would my company beg me to use AI if they didn't want that stuff in there?

They beg you to use exclusively the one for which they have a contract. But employees will have their own preferences.

Re:

[Tony Isaac]

AI is not created equal, and not all AI use leaks information. Companies typically will specify certain AI tools that employees can use, because the makers of those tools have entered into an NDA with the company, assuring the security team that they will not leak information provided to the AI tool.

Some AI tools, like those free meeting note taker bots, are designed *specifically* to leak company information. If the AI tool is free, it's probably not safeguarding company confidential information.

Re:

[cameloid]

That's the thing, isn't it. Regular folks who don't really know how any of this (in the broadest sense) works will have no idea where anything that they type into the computer goes.

Quite frankly, with this sort of thing, it's absolutely the company's responsibility to ensure that their staff are being properly trained, if the company's information is that important. That means either actually investing in their employees, or ensuring that newkids are up to snuff on this sort of thing.

It's probably even wors

Re:

[Anonymous Coward]

Where do people think data pasted into a web page form goes? Never mind the AI part, being able to read simple queries will give outsiders some intelligence about the kinds of projects and technologies your organization is working with. A foreign intelligence organization posing as an on-line seller can buy the right set of ad words and really go fishing for some interesting information.

Personally I found out the clipboard API even existed just a few years ago. I still find it shocking a web page can install a listener to accept paste of any data including files..etc without prompting the user and without any explicit indication data is being transmitted.

Re:

[sourcerror]

Employees are supposed to use AI, but get no corporate AI accounts. This is the result.

Really? WTF?

[cusco]

GenAI now accounts for 11% of enterprise application usage

Maybe I'm old or out of touch (or both) but for the life of me I cannot think of a reason for that number to be more than maybe 1% outside of some lazy programmers.

Re: Really? WTF?

[liqu1d]

Scary if it is true. Shows how much of the work can be replaced by something frequently wrong and no one notices or cares.

Re:Really? WTF?

[Tony Isaac]

I have no trouble believing it, based on nothing more than the sheer number of meetings employees are forced to attend each day at today's companies. Somebody's got to prepare all those slide decks to use for their presentations, and AI is pretty darn good at it.

Also, spreadsheet formulas and document writing.

11% doesn't seem so high to me.

Re: Really? WTF?

[BenjoBeast]

Every Google search has ai at the top. That is generative too.

Re:

[martin-boundary]

Mod parent up. I use gen AI all the time when I search for man pages and python docs. And by use, I mean I scroll past the results text as far as I need to until there's something resembling a link that's not an advertisement. Then I click the link.

Re:

[cusco]

True enough, which is one of the reasons why I'm using Google less and less. It just irritates me that the company thinks it knows what I want better than I do, especially when I know that their 'summary' is artificially slanted towards whatever the company WANTS that I should believe rather than what's actually real.

Re: Really? WTF?

[rfunches]

You just have to append "-ai" to your query and Google will not show any Gemini generated content.

Re:

[test321]

outside of some lazy programmers.

High usage in administrative departments (Legal, marketing, HR). They process text all the time, they need new templates, they need to fill said templates with company data.

Personally, I prefer taking photos of screens

[The_Revelation]

I mean, it's hard to exfiltrate data via copy paste on an air gapped network.

How do data leaks work?

[sonamchauhan]

Like so?

select * from Citizens
CTRL+A
CTRL+C
ALT+TAB
CTRL+V

Re:

[mattr]

It's more like "spell check my email" I expect. Probably not a lot of people actually pasting spreadsheets into context. I am guessing 100% of non-native and overseas users are using it to help them write English, at least based on one company I know (I think if they have a contract they figure it is safe...).

And as for myself I write a lot of documents and email in a second language. I am very careful not to post anything sensitive but have found Claude to be amazingly good at checking emails or installati

Re: How do data leaks work?

[Big Hairy Gorilla]

Bam. Based on casual chit chat with non techies, I'm hearing just about everyone says they get chatgpt to rewrite/edit all correspondence .. business and personal. Everything.

I guess most people are below average in writing ability?

Re: How do data leaks work?

[Dr. Smooth]

I have definitely started getting emails from our offshore team where the grammar is dramatically improved over a year or two ago.

Re:

[sonamchauhan]

You are correct. Donald Knuth, the famous computer scientist, himself says LLMs generate excellent "copy".
One day, exchanging (polite) message with obvious typos and unexpected turns of grammar and side-musings will be seen as a sign of genuine affection between humans communicating. :)

Yeah, LLM users are dumb

[gweihir]

Not all of them, but most of them. Which is one reason why they like LLMs so much.

Indeed

[nospam007]

Ditto for newspapers.

Since lots of them prevent AI to actually READ their articles, I have to toggle Reader View and copy/paste the WHOLE article into ChatGPT if I want to ask it questions about it, since millions of people do that, NOBODY can accuse ChatGPT to have 'harvested' the data without authorization.

Also, since there's no upper limit for copy/paste, I occasionally paste full books into ChatGPT too.

Re:

[amosh]

No, you don't. What a weird post.

Re: Indeed

[cusco]

So reading comprehension was never something that you learned as a kid? Damn, the educational system failed you completely. Home schooled?

Execs told us we needed to use AI

[jrnvk]

So obviously any side effects that come from that use are going to be forgiven, right?

Endpoint security woes

[ZiggyZiggyZig]

Looking forward to the day corporate policy will disable Copy/Paste because of the "security implications", the same way they sometimes block taking screenshots. What next, disable mouse use, just in case you might click the wrong link?

Doh!

[meandmatt]

My favorite is when I stupidly type my password in and hit enter, not realizing my cursor is not in the password field, it's in my web broswer, at which point google AI makes up some revelation about my password, while several other sites offer purchase options etc.