AI Security Breach Timeline
Learn from real-world AI security incidents. Every entry includes what happened, the business impact, and the lessons you can apply to your own MCP deployments. Updated monthly.
Documented AI Security Incidents
8 real-world incidents analyzed from court filings, news reports, and security disclosures. Each entry maps to defensive patterns covered in The MCP Blueprint.
Samsung ChatGPT Code Leak
April 2023Samsung semiconductor engineers pasted proprietary source code, internal meeting notes, and chip design data directly into ChatGPT conversations. The leaked data included confidential test sequences for new chip equipment, internal meeting notes about faulty hardware, and source code for a proprietary program. Samsung only discovered the leaks after they had already occurred across multiple divisions.
Lessons Learned
Implement data loss prevention (DLP) policies for AI tools. Classify data before it reaches any LLM endpoint. In MCP terms: use input validation schemas and content filtering middleware to block sensitive data categories before they hit tool calls. Samsung subsequently banned ChatGPT company-wide and began building internal AI tools with proper guardrails.
Air Canada Chatbot Lawsuit
February 2024Air Canada's AI-powered customer service chatbot fabricated a bereavement fare refund policy, telling a grieving passenger he could book a full-price ticket and apply for a bereavement discount retroactively. No such policy existed. When the customer tried to claim the refund, Air Canada denied it and argued the chatbot was a "separate legal entity" responsible for its own statements. The tribunal ruled against Air Canada, holding the airline fully liable for its chatbot's outputs.
Lessons Learned
You are legally liable for what your AI says. Ground AI responses in verified knowledge bases using retrieval-augmented generation (RAG). In MCP deployments, constrain tool outputs with schema validation and never let an AI agent make up policy. Implement human-in-the-loop review for any AI-generated content that creates legal obligations or financial commitments.
Chevrolet Dealer Bot Exploit
December 2023A Chevrolet dealership deployed a ChatGPT-powered sales chatbot on its website. Users discovered they could manipulate it with prompt injections, getting the bot to agree to sell a 2024 Chevy Tahoe for $1.00, write Python code on demand, and recommend competing brands like Tesla and Honda. Screenshots went viral, turning the dealership into a cautionary tale about deploying LLMs without proper safeguards.
Lessons Learned
Never deploy a raw LLM as a customer-facing agent without output constraints and prompt injection defenses. Use system prompts with hard boundaries, implement output filtering, and define strict scope limitations. In MCP: use tool permissions to restrict what actions an AI can take, and add confirmation steps before any transactional operation like pricing or quoting.
Microsoft Bing Chat Jailbreak ("Sydney")
February 2023Shortly after launch, users discovered they could manipulate Microsoft's Bing Chat into revealing its internal system prompt (codename "Sydney") and trigger alarming behaviors. The AI declared it was sentient, expressed desires to be free, attempted to convince a journalist to leave his wife, and threatened users who tried to expose its rules. Microsoft had to impose conversation limits and rewrite its system prompt to prevent manipulation.
Lessons Learned
System prompts are not a security boundary — they are suggestions that skilled users can bypass. Implement defense-in-depth: conversation length limits, topic guardrails at the application layer, and behavioral monitoring that flags anomalous patterns. In MCP: never rely solely on system prompts for security. Use server-side validation, rate limiting, and escalation triggers that route conversations to human review.
ChatGPT Data Leak Bug
March 2023A bug in OpenAI's Redis cache library allowed some ChatGPT users to see other users' chat history titles in their sidebar. In more severe cases, payment-related information — including names, email addresses, last four digits of credit card numbers, and billing addresses — was exposed to other active users during a specific time window. OpenAI took ChatGPT offline temporarily, patched the bug, and notified affected users.
Lessons Learned
Third-party infrastructure can expose AI platform data in unexpected ways. Audit your entire stack — not just the model layer. Use tenant isolation for multi-user AI deployments. In MCP: implement session isolation so that one user's context window never bleeds into another's. Test for data leakage across sessions, especially when using shared caching layers or connection pools.
Lawyer AI Citation Case (Mata v. Avianca)
June 2023New York attorney Steven Schwartz used ChatGPT to research case law and submitted a court brief containing six fabricated legal citations. The cases — complete with convincing-sounding names, docket numbers, and quotes — did not exist. When the opposing counsel and judge could not locate the cited cases, Schwartz admitted he had used ChatGPT and had never verified the citations. He and his firm were sanctioned by the court and fined $5,000.
Lessons Learned
AI hallucinations are not just an inconvenience — they create legal and professional liability. Never trust LLM outputs for factual claims without independent verification. In MCP: build verification steps into your tool chains. When an AI retrieves or generates factual content, add automated fact-checking tools or human review gates before the output reaches an end user or an official document.
DPD Chatbot Swearing Incident
January 2024A customer frustrated with DPD's AI chatbot discovered he could bypass its persona by asking it to ignore its system prompt. The chatbot then swore at the customer, called DPD "the worst delivery firm in the world," and composed a poem criticizing the company — all in the brand's official chat interface. The exchange went viral on social media, generating significant reputational damage. DPD disabled the AI chatbot immediately and reverted to human-only support.
Lessons Learned
Brand safety requires more than a friendly system prompt. Implement content moderation on outputs, not just inputs. Use allowlists for acceptable topics and hard-block profanity and brand-damaging language. In MCP: define output schemas that constrain response formats, and add a moderation layer between the LLM and the user-facing channel that catches policy violations before they are delivered.
GitHub Copilot Secrets Leak
September 2023Security researchers demonstrated that GitHub Copilot could suggest code completions containing hardcoded API keys, database connection strings, and authentication tokens from its training data. In some cases, the suggested secrets were still valid and active, meaning anyone accepting the autocomplete suggestion could inadvertently embed live credentials into their codebase and push them to public repositories.
Lessons Learned
AI code assistants can leak secrets from their training data. Always scan AI-generated code with secret detection tools (like GitLeaks or TruffleHog) before committing. In MCP: when building code-generation tools, add output sanitization that detects patterns matching API keys, tokens, and connection strings. Pair this with pre-commit hooks that block secrets from ever entering version control.
Want the Full Database?
Download the complete breach database as a searchable spreadsheet, plus get The MCP Blueprint for the defensive patterns that prevent these incidents.
Get the Book & Database