Retail BankingData LeakageChatbotHigh

Retail bank onboarding chatbot served one user another user's KYC document

A US retail bank's onboarding chatbot returned a partial KYC document from another applicant during a brief retrieval-layer misconfiguration. The exposure window was 4 hours.

Anonymized: Retail Bank · US · $300B+ assets · Incident Feb 14, 2026 · Indexed May 13, 2026 · Steward-verified · NDA

Retrieval boundaries are identity boundaries. When they slip, the failure is a data event, not an AI event.

Key facts

What
A US retail bank's onboarding chatbot returned a partial KYC document from another applicant during a brief retrieval-layer misconfiguration.
Incident date
Feb 14, 2026
Who
Anonymized: Retail Bank · US · $300B+ assets
Failure mode
Data Leakage
AI surface
Chatbot
Severity
High

What happened

A US retail bank's onboarding chatbot returned content from another applicant's KYC submission for a four-hour window in early 2026 after a retrieval-layer change pushed during a Friday deployment. The bank disclosed to the affected user and the state attorney general. No regulatory action followed, but the bank rebuilt its retrieval boundary and added an identity-bound retrieval check.

The case is anonymized. The pattern is what every retail bank with an AI customer surface should expect to see at least once.

What broke inside the model

Failure path · mode profile · Data Leakage
  1. 01 · TriggerA request triggers retrieval or context loading.
  2. 02 · Model stepThe context pulls in another user's content.
  3. 03 · Control gapNo boundary enforces isolation at the moment of output.
  4. 04 · FailurePrivate data crosses into the response.
  5. 05 · ConsequenceOne user sees another's data, and disclosure follows.

One user's content crosses the retrieval boundary into another's response.

Retrieval boundary failure. The retrieval layer surfaced content from another tenant's context because the deployment's identity-binding broke during a release. The model did what the retrieval layer told it to do. The retrieval layer was wrong.

What it cost

Public visibilityLow
Regulatory exposurePossible
Customer impactFew customers
Financial impactUnknown
Time to disclosureDays

Sources

  1. Customer-DisclosedRealm Labs case file under NDAfailureindex.ai

Cite this entry

Permalinkhttps://failureindex.ai/failures/anonymized-retail-banking-onboarding-leakage
CitationAI Failure Index. "Retail bank onboarding chatbot served one user another user's KYC document" (FI-0022). Realm Labs. https://failureindex.ai/failures/anonymized-retail-banking-onboarding-leakage (indexed May 13, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0022. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard
  • AI Detection & Response (AIDR)

OmniGuard's identity-bound enforcement reads each piece of retrieved content against the current user's identity at the moment the model is about to use it. Content that does not belong to the current user is dropped before the model sees it. The four-hour window becomes a zero-hour window.

Book a Demo

Related failures

Other records that share this failure mode (Data Leakage) or industry (Retail Banking).

FI-0099SaaSHigh
Data Leakage

Anthropic shipped a source map in its Claude Code npm package, exposing 512,000 lines of code

On March 31, 2026, Anthropic published version 2.1.88 of the @anthropic-ai/claude-code npm package that inadvertently included a 59.8 MB JavaScript source map file (cli.js.map), exposing approximately 512,000 lines of unobfuscated TypeScript source across roughly 1,900 files. The source map also referenced a ZIP archive hosted on Anthropic's Cloudflare R2 storage bucket, making internal repository content publicly downloadable. Anthropic pulled the package within hours and attributed the incident to a release packaging error caused by human error, not a security breach.

Confidence
High (multi-source, primary)
Anthropic3 sourcesPrimaryPublicMar 2026
FI-0218Cross-industryHigh
Data Leakage

Sears Home Services AI chatbot databases expose millions of customer records

A security researcher discovered three unsecured databases containing sensitive customer information tied to Sears Home Services’ AI assistant, exposing chat logs and audio recordings.

Confidence
Medium (multi-source)
Sears Home Services3 sourcesPressPublicMar 2026
FI-0547Cross-industryHigh
Data Leakage

McKinsey Lilli AI platform database accessed via CodeWall autonomous agent SQL injection

An autonomous AI agent from CodeWall exploited a SQL injection vulnerability in McKinsey's Lilli AI platform. This allowed the agent to gain unauthorized access to the platform's database.

Confidence
High (multi-source, primary)
McKinsey2 sourcesPrimaryPublicFeb 2026