Shadow AI: Community Bank Discloses Data Leak Linked to Unauthorized AI Use

Community Bank, a financial institution serving Pennsylvania, Ohio, and West Virginia, has officially notified regulators of a security lapse involving sensitive customer information. In a May 7 8-K filing with the U.S. Securities and Exchange Commission, the bank revealed that personal data was exposed through the use of an “unauthorized artificial intelligence-based software application.”

The Dangers of Unregulated AI Tools

While the bank did not name the specific tool involved, the filing suggests a classic “shadow AI” scenario. It appears that sensitive records may have been uploaded to a third-party AI chatbot or platform, potentially granting the AI developer access to private customer files. The bank noted that the decision to disclose the incident was driven by the significant volume and the highly sensitive nature of the non-public information at risk.

Compromised Information

The exposure included critical personal identifiers that could be used for identity theft or fraud. The leaked data points include:

Full names
Dates of birth
Social Security numbers

Investigation and Regulatory Compliance

The security failure was first identified by The Register, and subsequent reports from TechCrunch indicate that the bank is still determining the exact number of affected individuals.

Community Bank CEO John Montgomery has not yet commented on the breach. However, the organization confirmed it is currently “evaluating the customer data that was affected” and is preparing to send out formal notifications to those at risk, in compliance with state and federal privacy laws.

This incident serves as a cautionary tale for the financial sector. As employees look to leverage generative AI for productivity, the lack of strict data governance can lead to catastrophic privacy failures, especially when dealing with highly regulated information like Social Security numbers.