Passkeys instead of passwords

White House issues Executive Order on AI

English Information Commissioner issues guidance re: monitoring workers

Amendments to the FOIP Regulations

Chief Information Officer of Canada bans WeChat and Kaspersky applications from government-issued mobile devices

Ontario IPC investigates hospital breaches

Toronto Public Library breach

Federal public servants information breached

Ontario IPC issues draft digital charter for schools

Federal Commissioner posts personal information glossary


Chatbots and Security

April 12, 2023 - Rick Yachiw, Director of Compliance

There are several security risks associated with using a chatbot, some of which include:

  1. Data privacy: Chatbots may collect sensitive personal data such as names, email addresses, phone numbers and financial information. If this data is not handled properly or falls into the wrong hands, it could be used for fraudulent activities.
  2. Malicious attacks: Chatbots are vulnerable to various attacks such as SQL injection, cross-site scripting, and phishing attacks. These attacks can compromise the chatbot’s security and expose sensitive date to malicious parties.
  3. Identity theft: Hackers can use chatbots to trick users into providing personal information, such as social security numbers, credit card information, and login credentials. This information can be used to commit identity theft.
  4. Unsecured APIs: Chatbots usually use APIs to communicate with backend systems. If these APIs are not properly secured, they can be exploited by attackers to gain unauthorized access to sensitive data.
  5. Lack of authentication: Chatbots that do not require user authentication are susceptible to attacks. Malicious actors can use the chatbot to impersonate legitimate users and access sensitive information.

To mitigate these risks, it is important to ensure that chatbots are designed with security in mind. This includes implementing strong authentication mechanisms, encrypting sensitive data, and regularly testing for vulnerabilities. Additionally, users should be educated on how to use chatbots safely and avoid sharing sensitive information.

Now, full disclosure – everything up to this point was written courtesy of ChatGPT.

Also, full disclosure – I did not use ChatGPT on any of my work devices to compose this blog; rather, I used my own personal device. I would never put my organization or its data at risk by using an application that is not recognized or approved by my organization to use – nor should you!

What is a chatbot? It is an application that uses artificial intelligence and user input to simulate a conversation with the user. ChatGPT is an advanced form of a conversational chatbot that can do things such as compose emails, essays, and even songs or poems! ChatGPT does a convincing job of writing content (except, if you notice, here in Canada we have social insurance numbers, not social security numbers). If writing is part of your everyday work, ChatGPT could prove useful and save time. Therein may lie the temptation to use an application such as Chat GPT.

However, ChatGPT is correct in that the use of a chatbot (and I am not suggesting specifically ChatGPT) could pose security risks for your organization. If you identify and prepare to eliminate those risks, a chatbot is not necessarily a bad idea. It may be the way of the future for many organizations, and certainly we are already seeing organizations employ them. But as with any application, you want to avoid creating system vulnerabilities by conducting risk and privacy impact assessments, and by talking to a security expert (I would suggest a real live one… at least not for now).


Categories: BlogTags: , ,

Back to Blog