The 2025 State of PII Leaks in ChatGPT Prompts
How everyday LLM prompts became one of the largest unmonitored data-exfiltration channels — and what actually works to close it.
Why prompt leaks are the new email attachment problem
Ten years ago the dominant data-loss vector at knowledge-work companies was the emailed spreadsheet. Prompts are today's equivalent. They travel outside the corporate perimeter, they carry unstructured personal data, and — unlike an email attachment — they are logged in a third-party inference cluster the sender does not control.
The scale caught most security teams off-guard. In 2024 Cyberhaven reported that 4.7% of employees had at some point pasted confidential data into ChatGPT; more recent samples from browser-DLP vendors put that number closer to 8–11% depending on industry. Legal, healthcare and financial services sit at the top of the range.
What actually gets pasted
When we bucket the categories we see repeatedly across incident reports, five patterns dominate:
- Client names, project codenames and contract clauses inside 'summarize this' prompts.
- Source code snippets that include hard-coded credentials, internal hostnames or private endpoints.
- Financial figures for deals-in-progress, board-deck drafts and MNPI.
- Patient notes, symptom lists and prescription histories pasted for 'help me draft a discharge summary'.
- Screenshotted spreadsheets pulled through an OCR tool then fed back into a chat.
Do the providers actually retain it?
OpenAI's consumer tier retains conversations by default and reserves the right to use them for training unless the user explicitly opts out. The Enterprise and API products (with a signed DPA and Zero Data Retention flag) do not — but that only helps if your employees are actually inside those tenants. In practice a large share of prompt traffic goes through personal accounts on unmanaged browsers.
Why server-side proxies keep failing
The dominant enterprise response has been a reverse proxy: force employees through a gateway that redacts PII before it reaches OpenAI. This works for API traffic but collapses for browser traffic. Employees route around it by opening ChatGPT on their phone, by using a personal Claude account, or by dictating into Gemini on a corporate laptop that was never enrolled in the proxy's TLS interception.
The proxy is also a single high-value target: every employee prompt in the company passes through it in plaintext. Compromise of that gateway is a full corpus disclosure.
Client-side redaction, and why it wins
A tool that runs entirely in the user's browser, redacts before the prompt is even copied out of the composer, and stores the mapping only in that tab, sidesteps both problems. Nothing traverses a corporate proxy. Nothing is stored server-side. If the user closes the tab the mapping is gone. If the laptop is compromised, the attacker gets one session, not a corpus.
PromptShielder was built to this shape on purpose. Detection runs against the DOM before the user hits send; tokens like [NAME_1] replace the raw values; on the way back the same in-memory dictionary restores them. No network round-trip is involved at any step.
What to measure now
- Sample your egress: how many domains under openai.com, anthropic.com, google.com, perplexity.ai does the average employee hit per week?
- Read your Article 30 record of processing. Is 'AI assistants' listed as a processor? If not you are under-recording.
- Ask three engineers to demonstrate the workflow they actually use. Not the sanctioned one. The one they actually use.
- Pick a redaction control that can operate on unmanaged browsers, on the employee's personal account, without a proxy.
Frequently asked
Is turning off ChatGPT training memory enough?+
It reduces one specific risk (future model training) but leaves retention, subpoena exposure, and internal-review access untouched. It is not a compliance control.
Do we need a DPA with OpenAI?+
If personal data of EU data subjects passes through the service in any workflow you tolerate, yes. Consumer accounts do not come with one.
Can a browser extension leak our prompts?+
Yes. Any extension with permissions to read page contents can. Client-side redaction still helps because the redacted string is what the extension reads.