The IT Nerd

A few days ago, DeepSeek was setting the world on fire because the AI that it put on the table offered strong LLM performance at a much lower cost to train. That made heads explode. But heads are exploding again with news that cybersecurity researchers from Wiz have found a ClickHouse database owned by Chinese AI start-up DeepSeek containing over a million lines of chat history and sensitive information. The database was publicly accessible and allowed the researchers full control over database operations. That too made heads explode. And this is on top of attacks DeepSeek.

Gunter Ollmann, CTO, Cobalt had this to say:

“The DeepSeek exposure highlights a critical and recurring issue—organizations, especially those innovating rapidly in AI, often prioritize speed over security. Wiz’s discovery reinforces the importance of proactive security testing, particularly as attack surfaces expand with cloud-based infrastructure and publicly accessible APIs. Given DeepSeek’s recent global recognition and growth in the AI space, the breach could have had a huge impact, significantly affecting businesses and individuals relying on their services, with potential ripple effects across industries.

This case underscores why organizations must continuously evaluate the robustness of their defensive controls —not just to meet compliance, but to protect sensitive data and improve their risk posture. Offensive security, including penetration testing and attack surface monitoring, is essential in identifying these open doors before adversaries do. AI-driven platforms like DeepSeek must integrate security testing into their development lifecycle, ensuring rigorous assessments of infrastructure, access controls, and data handling policies.

AI may be “new” but the basics of security processes and controls still apply.

As AI companies become integral to critical infrastructure, security can’t be an afterthought. The industry needs to adopt a proactive mindset—regular pentesting, red teaming, and continuous attack surface monitoring—to safeguard both intellectual property and customer trust.”

The more I hear about DeepSeek, the more I think that this is an AI that should be avoided. They don’t seem to have their act together, and that’s on top of them being based in China which by itself should set off alarm bells.

This entry was posted on January 30, 2025 at 2:58 pm and is filed under Commentary with tags DeepSeek. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.