📰 Originally published on Securityelites — AI Red Team Education — the canonical, fully-updated version of this article.
Samsung engineers pasted proprietary source code into ChatGPT. The code hit OpenAI’s servers. Three separate incidents in 20 days. Samsung had to ban ChatGPT company-wide and spend significant resources building internal AI tools as a replacement. The data, once submitted, could not be retrieved or deleted from OpenAI’s systems. The data was already gone. This is the business risk of using AI tools without understanding what happens to the information you type into them. The answer to “is ChatGPT safe for work” is nuanced — it depends which plan you’re on, what you put in, and whether your organisation has policies covering it. Here is the complete picture.
What You’ll Learn
What OpenAI does with the conversations you have on ChatGPT
The difference between free, Plus, Team, and Enterprise plans for data privacy
What the Samsung incident actually teaches about AI data risk
A clear list of what you should and shouldn’t put into ChatGPT at work
How to adjust your settings to reduce data exposure right now
⏱️ 10 min read ### Is ChatGPT safe for work – ChatGPT Work Safety Complete Guide 2026 1. What OpenAI Does With Your Conversations 2. Free vs Plus vs Team vs Enterprise — Data Policy Differences 3. The Samsung Case — What Actually Happened 4. What You Should Never Enter Into ChatGPT at Work 5. Settings to Change Right Now For the AI security technical picture — prompt injection, jailbreaking, and platform vulnerabilities — see the ChatGPT security incidents guide. The prompt injection explainer covers the AI-layer risks separate from the data privacy risks discussed here.
What OpenAI Does With Your Conversations
My summary of OpenAI data practices for the default ChatGPT free and Plus plans — and this is what most employees using the free tier for work don’t realise: conversations are stored, may be reviewed by human trainers, and by default are used to improve future versions of the model. This is not hidden — it’s in the privacy policy — but it’s rarely top of mind when someone opens a chat window. Understanding it changes how you should use the tool.
OPENAI DATA PRACTICES — FREE AND PLUS PLANSCopy
What happens to your conversations by default
Stored: yes — OpenAI stores conversation history
Human review: possible — OpenAI staff may review conversations for safety/quality
Training use: yes by default — conversations used to improve models
Retention: conversations retained until you delete them or your account
What OpenAI can see
Everything you type — prompts, pastes, documents uploaded
Images uploaded for analysis
Custom GPT conversations (depends on GPT owner’s settings)
What this means practically
Anything you type could be read by OpenAI employees
Anything you type could influence future AI model outputs
Anything you type could theoretically appear in responses to other users if memorised
Free vs Plus vs Team vs Enterprise — Data Policy Differences
The plan you’re on significantly affects your data privacy position. I summarise this for clients evaluating AI tools for business use: free and Plus are consumer products with consumer data practices. Team and Enterprise are business products with contractual data protection commitments.
CHATGPT PLAN DATA POLICY COMPARISONCopy
Free and ChatGPT Plus ($20/month)
Training use: yes by default (opt-out available in settings)
Human review: possible
Data storage: OpenAI’s US servers
Appropriate for: personal use, non-sensitive business tasks
Not appropriate: anything confidential, personal data, financial data, client data
ChatGPT Team ($30/user/month)
Training use: NO — conversations not used for training by default
Human review: no by default
Workspace: separate workspace, conversations not shared between orgs
Appropriate for: small business use with moderate sensitivity data
ChatGPT Enterprise (custom pricing)
Training use: NO — contractual commitment not to use for training
Data residency: options available for EU data residency
Admin controls: usage policies, access controls, audit logs
BAA available: Business Associate Agreement for healthcare (HIPAA)
Appropriate for: enterprise use with sensitive business data (with proper governance)
Key practical guidance
Using free or Plus for business = Samsung risk
Team or Enterprise = reduced but not zero risk (still requires usage policy)
No plan = appropriate for medical records, legal privilege, classified data
The Samsung Case — What Actually Happened
The Samsung incident is the most instructive real-world example of enterprise AI data risk. My analysis of what it reveals for other organisations: the risk wasn’t a hack. It wasn’t a breach. It was employees doing something reasonable — getting help reviewing code — without understanding that “sending it to ChatGPT” was equivalent to sending it to an external party.
THE SAMSUNG CHATGPT INCIDENT — TIMELINE AND LESSONSCopy
What happened (April 2023)
Incident 1: engineer pasted semiconductor equipment source code for debugging help
Incident 2: different engineer pasted code to optimise for a specific use case
Incident 3: employee used ChatGPT to summarise confidential meeting notes
All three occurred within 20 days of Samsung allowing ChatGPT for internal use
What the consequences were
The code and meeting notes entered OpenAI’s servers
Samsung could not retrieve or delete the data once submitted
Samsung banned ChatGPT entirely and invested in building internal AI tools
📖 Read the complete guide on Securityelites — AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites — AI Red Team Education →
This article was originally written and published by the Securityelites — AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites — AI Red Team Education.
Top comments (0)