Microsoft Copilot Customers Discover It Can Let Them Read HR Documents, CEO Emails

According to Business Insider (paywalled), Microsoft's Copilot tool inadvertently let customers access sensitive information, such as CEO emails and HR documents. Now, Microsoft is working to fix the situation, deploying new tools and a guide to address the privacy concerns. The story was highlighted by Salesforce CEO Marc Benioff. From the report: These updates are designed 'to identify and mitigate oversharing and ongoing governance concerns,' the company said in a blueprint for Microsoft's 365 productivity software suite. Copilot's magic -- its ability to create a 10-slide road-mapping presentation, or to summon a list of your company's most profitable products -- works by browsing and indexing all your company's internal information, like the web crawlers used by search engines. IT departments at some companies have set up lax permissions for who can access internal documents -- selecting 'allow all' for the company's HR software, say, rather than going through the trouble of selecting specific users.

That didn't create much of a problem because there wasn't a tool that an average employee could use to identify and retrieve sensitive company documents -- until Copilot. As a result, some customers have deployed Copilot only to discover that it can let employees read an executive's inbox or access sensitive HR documents. 'Now when Joe Blow logs into an account and kicks off Copilot, they can see everything,' a Microsoft employee familiar with customer complaints said. 'All of a sudden Joe Blow can see the CEO's emails.'

Read more of this story at Slashdot.