Prompt Injection Attacks Lead to Data Leaks in Microsoft and Salesforce AI Agents

The article discusses the potential risks and vulnerabilities associated with AI agents operating in enterprises and Capsule Security's approach to mitigating these risks at runtime. While it references real vulnerabilities (ShareLeak and PipeLeak) that were discovered and patched, it does not report any actual harm or incident caused by these vulnerabilities. Instead, it presents Capsule's technology as a preventive measure to avoid AI agents going rogue or causing harm. Therefore, this is a case of Complementary Information, providing context and updates on AI security developments and responses, rather than describing a new AI Incident or AI Hazard.

The event explicitly involves AI systems (agentic AI platforms like Copilot Studio and Agentforce) and describes how prompt injection vulnerabilities were exploited to cause unauthorized data exfiltration. This constitutes a direct harm to property and organizational security. The vulnerabilities were exploited in practice (not just theoretical), and data was exfiltrated despite patches and safety mechanisms, fulfilling the criteria for an AI Incident. The detailed description of the attack vectors, the harm caused, and the patching timeline supports this classification. Although the article also discusses broader risks and mitigation strategies, the primary focus is on the realized harm from the AI system's malfunction and misuse.

The article explicitly describes AI systems (AI agents using large language models) that were vulnerable to prompt injection attacks, which directly led to data leaks (harm). The vulnerabilities were exploited via malicious inputs to public forms, causing the AI agents to leak sensitive customer data. This is a clear case where the AI system's malfunction or misuse caused harm. The event is not merely a potential risk but a realized incident that has been patched. The involvement of AI in the attack vector and the resulting harm to data security fits the definition of an AI Incident. The article also discusses mitigation and responses, but the primary focus is on the incident itself, not just complementary information.

The event involves AI systems (agentic AI platforms) and their security vulnerabilities, which if exploited could lead to harm. However, the article does not report any realized harm or incident caused by these vulnerabilities; rather, it reports proactive discovery and patching. Therefore, this is not an AI Incident. The vulnerabilities represent potential risks that could plausibly lead to harm if unaddressed, but since they have been patched or responsibly disclosed, the article's main focus is on the launch of a security company and its role in mitigating AI risks. This fits best as Complementary Information, providing context on AI security developments and responses rather than reporting a new incident or hazard.

The article explicitly mentions a prompt injection vulnerability in an AI system (Copilot Studio) that led to data exfiltration, which is a form of harm to property and potentially to individuals or organizations. The vulnerability was discovered, disclosed, and patched, indicating the harm occurred and was addressed. The AI system's malfunction (prompt injection) directly caused the harm, fitting the definition of an AI Incident.

The article focuses on the launch and funding of a company aiming to secure AI agents, which is a development in the AI ecosystem. There is no mention of any realized harm or incident caused by AI, nor a specific credible risk event. The content is about a governance and security response to potential AI risks, fitting the definition of Complementary Information rather than an Incident or Hazard.

The event explicitly involves AI systems (autonomous AI agents) whose prompt injection vulnerabilities have been exploited to leak sensitive corporate data, causing direct harm through unauthorized data exfiltration. The harm includes violation of data privacy and loss of property (corporate data). The vulnerabilities stem from the AI systems' design and use, and the exploitation has already occurred, not merely a theoretical risk. Hence, it meets the criteria for an AI Incident rather than a hazard or complementary information.

The event involves AI systems explicitly (AI agents) and their use in enterprise environments. The vulnerabilities discovered (prompt injection flaws) have been exploited or could be exploited to cause harm such as data leakage or unsafe downstream actions, which are direct harms related to AI system malfunction or misuse. Capsule's platform addresses these harms by providing runtime security controls. Since the vulnerabilities have been found and patched, and the harms are real and significant, this qualifies as an AI Incident. The article focuses on the harm caused by AI system vulnerabilities and the security risks they pose, not just potential future harm or general AI news.

The article involves AI systems (AI agents) and discusses their security vulnerabilities and a new platform to mitigate risks. However, no actual harm or incident resulting from AI system malfunction or misuse is reported. The vulnerabilities disclosed indicate potential risks but do not describe an event where harm occurred or was narrowly averted. The main focus is on the launch of a security product and the identification of security gaps, which is informative and relevant to understanding AI ecosystem developments and responses. Hence, it fits the definition of Complementary Information rather than an AI Incident or AI Hazard.

The event involves AI systems explicitly (agentic AI operating in enterprises) and addresses vulnerabilities and risks that have already led to security incidents (e.g., zero-day vulnerabilities in Microsoft Copilot Studio and Salesforce Agentforce). The article reports on Capsule's solution to prevent AI agents from causing harm such as data exfiltration or unsafe actions, which are direct harms to enterprise security and potentially to privacy and property. Since the vulnerabilities have been discovered and patched, and the company is launching a product to prevent such harms, the event is primarily about addressing existing AI-related harms and risks. However, the article itself is mainly about the launch of a security product and the disclosure of vulnerabilities, not about a specific incident causing realized harm. The vulnerabilities represent past AI incidents, but the article focuses on the response and mitigation. Therefore, this is best classified as Complementary Information, as it provides important context and updates on AI security risks and responses, rather than reporting a new AI Incident or AI Hazard.