US cyber defense chief accidentally uploaded secret government info to ChatGPT

Alarming critics, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), Madhu Gottumukkala, accidentally uploaded sensitive information to a public version of ChatGPT last summer, Politico reported.

According to “four Department of Homeland Security officials with knowledge of the incident,” Gottumukkala’s uploads of sensitive CISA contracting documents triggered multiple internal cybersecurity warnings designed to “stop the theft or unintentional disclosure of government material from federal networks.”

Gottumukkala’s uploads happened soon after he joined the agency and sought special permission to use OpenAI’s popular chatbot, which most DHS staffers are blocked from accessing, DHS confirmed to Ars. Instead, DHS staffers use approved AI-powered tools, like the agency’s DHSChat, which “are configured to prevent queries or documents input into them from leaving federal networks,” Politico reported.

It remains unclear why Gottumukkala needed to use ChatGPT. One official told Politico that, to staffers, it seemed like Gottumukkala “forced CISA’s hand into making them give him ChatGPT, and then he abused it.”

The information Gottumukkala reportedly leaked was not confidential but marked “for official use only.” That designation, a DHS document explained, is “used within DHS to identify unclassified information of a sensitive nature” that, if shared without authorization, “could adversely impact a person’s privacy or welfare” or impede how federal and other programs “essential to the national interest” operate.

There’s now a concern that the sensitive information could be used to answer prompts from any of ChatGPT’s 700 million active users.

OpenAI did not respond to Ars’ request to comment, but Cyber News reported that experts have warned “that using public AI tools poses real risks because uploaded data can be retained, breached, or used to inform responses to other users.”

Sources told Politico that DHS investigated the incident for potentially harming government security—which could result in administrative or disciplinary actions, DHS officials told Politico. Possible consequences could range from a formal warning or mandatory retraining to “suspension or revocation of a security clearance,” officials said.