Schibsted, a major Norwegian media and technology company, has disclosed that it inadvertently shared sensitive internal information with OpenAI over the course of approximately one year. The exposure included internal comments and source material that should have remained confidential within the organization.
Data Exposure Details
The incident came to light when Schibsted discovered that its employees had been using ChatGPT for various work-related tasks, including content creation and analysis. During this period, sensitive internal communications and editorial materials were transmitted to OpenAI’s systems without adequate data protection measures in place. The company has not specified the exact volume of data exposed or the complete timeline of the breach.
The revelation raises important questions about how organizations integrate artificial intelligence tools into their workflows and the necessity of establishing robust data governance policies before adopting third-party AI services. Many companies have rushed to implement generative AI solutions to enhance productivity, sometimes without fully considering the privacy implications of feeding proprietary information into external systems.
Response and Implications
Schibsted’s experience serves as a cautionary tale for European enterprises evaluating AI adoption strategies. The incident underscores the gap that often exists between technological enthusiasm and practical security considerations. Organizations across the continent are increasingly experimenting with large language models, yet many lack comprehensive frameworks to govern what information can be safely shared with external AI providers.
The timing of this disclosure is particularly relevant given the European Union’s focus on data protection and artificial intelligence regulation. The General Data Protection Regulation already imposes strict requirements on data transfers, and the forthcoming AI Act will introduce additional compliance obligations. Companies must ensure that their AI integration strategies align with both existing and emerging regulatory requirements.
Broader European Context
This incident highlights a growing challenge within the European startup and technology ecosystem. As organizations of all sizes adopt AI tools to remain competitive, many are learning that convenience and innovation must be balanced against security and compliance. European companies have historically been subject to stricter data protection standards than their global counterparts, making such exposures particularly concerning from both a legal and reputational standpoint.
The Schibsted case demonstrates that even established media organizations with significant resources can struggle to implement proper safeguards when integrating new technologies. Smaller startups and mid-sized companies may face even greater challenges in managing these risks while attempting to leverage AI’s productivity benefits.
Going forward, European organizations should implement mandatory data classification systems, establish clear policies on what information can be processed through external AI services, and ensure employees receive adequate training on these guidelines. The incident also suggests that AI providers should be more transparent about data retention practices and offer stronger contractual protections for enterprise clients handling sensitive information.