Community Bank, a regional bank operating across southwestern Pennsylvania, Ohio, and West Virginia, has disclosed that customer data — including names, dates of birth, and Social Security numbers — was transmitted to an unauthorized AI application. The bank filed an 8-K with the SEC on May 7, citing “the volume and sensitive nature of the non-public information” involved.
The bank hasn’t named the AI tool. It hasn’t said how many customers are affected. CEO John Montgomery hasn’t responded to press inquiries. What we do know: someone working at the bank uploaded sensitive customer records to an AI application that wasn’t approved for use — and now that data sits on servers the bank doesn’t control, governed by terms of service the bank never agreed to.
What “Unauthorized AI App” Actually Means
Reading between the lines of the SEC filing, this looks like a textbook case of shadow AI — an employee using a consumer AI chatbot for work tasks without IT approval. Maybe they were trying to speed up data processing. Maybe they wanted to format a spreadsheet. Whatever the reason, customer Social Security numbers ended up inside a third-party system with unknown data retention policies.
This is the part that should worry you. When your data gets sent to a traditional hacker, it’s bad. But at least the breach is recognized as a breach. When your data gets pasted into an AI chatbot, the company running that chatbot may retain it for model training, store it indefinitely, or share it with subprocessors — all perfectly legally under their terms of service. Your bank never consented to those terms on your behalf. Neither did you.
Community Bank says it remains “in communication with relevant banking and financial regulators” and will notify affected customers under applicable laws. Operations weren’t disrupted — customers kept full access to their accounts. That’s cold comfort when your Social Security number is sitting in an AI company’s training pipeline.
This Is Happening Everywhere
Community Bank got caught. Most companies don’t.
A 2025 enterprise security report from LayerX found that 77% of employees have pasted company information into AI and large language model services. Of those, 82% used personal accounts rather than enterprise-managed tools — meaning IT teams had zero visibility into what was being shared.
The numbers get worse. Generative AI now accounts for 32% of unauthorized corporate data transfers, making it the leading channel for data exfiltration. Zscaler’s ThreatLabz research tracked 4.2 million data loss violations attributable to AI tools like ChatGPT and Microsoft Copilot in a single year. IBM’s 2025 Cost of a Data Breach Report found that shadow AI adds an average of $670,000 in costs above standard breach costs.
And those are just the incidents that get detected. When an employee pastes customer records into ChatGPT on their personal phone, there’s no DLP tool catching it, no access log recording it, no incident report filed. The data just disappears into a system designed to ingest and learn from everything it receives.
The Data Sovereignty Problem
This incident exposes a gap that traditional security thinking hasn’t caught up with yet. Banks spend millions on firewalls, encryption, and access controls. They run background checks on employees and audit their vendors. Then an employee opens a browser tab and sends customer SSNs to a server in a jurisdiction with no obligation to delete them.
Most AI providers’ terms of service grant broad rights to process submitted data. Some use it for model improvement. Some store it for an unspecified retention period. Some share it with unnamed subprocessors. The user who clicked “I agree” on those terms was an individual employee — not the bank, and certainly not the customers whose Social Security numbers were involved.
Under Swiss data protection law (nDSG) and the GDPR, this kind of uncontrolled data transfer would face far stricter scrutiny. Data controllers are responsible for knowing exactly where personal data goes and ensuring adequate protection at every step. The US regulatory framework is catching up — the SEC filing requirement that forced this disclosure is proof of that — but there’s still no federal law requiring companies to control where employees send customer data via AI tools.
What You Can Do
If you’re a Community Bank customer, you should:
- Place a credit freeze with all three credit bureaus (Equifax, Experian, TransUnion). This is free and prevents anyone from opening new accounts using your SSN.
- Monitor your credit reports for unauthorized activity. You’re entitled to free weekly reports at AnnualCreditReport.com.
- Watch for phishing — breached personal data often gets used to craft convincing scam emails and calls.
For everyone else, this is a reminder that your most sensitive data doesn’t just leak through hackers. It leaks through the people and institutions you trust with it, one AI chatbot prompt at a time.
Why This Matters
Every time you hand your data to a company, you’re trusting not just their security infrastructure but every individual employee’s judgment about which tools to use. Community Bank’s security systems weren’t breached. No hacker exploited a vulnerability. An employee just used the wrong tool for the job — and your Social Security number paid the price.
This is exactly the problem that privacy-first, self-hosted infrastructure solves. When your data lives in a system you control — encrypted, on servers in a jurisdiction with strong privacy laws — an employee at a third-party company can’t paste it into an AI chatbot because they never had access to it in the first place. The best data protection isn’t better employee training. It’s architecture that makes this kind of mistake impossible.