MSP Discovers HR Data Exposed to AI Before Copilot Rollout

Overview

A managed service provider (MSP) onboarded a large retail company that had recently started using Microsoft Copilot. The MSP deployed Cyflow to assess data exposure risks before the AI rollout could surface sensitive information to unauthorized employees.

The Challenge

The retail company had recently adopted Microsoft Copilot to boost productivity across the organization. However, with AI now able to search and surface content from across Microsoft 365, any oversharing misconfiguration became an immediate security risk.

The MSP knew that deploying Copilot without first assessing data permissions could expose sensitive information to employees who shouldn't have access. They needed a way to quickly audit the environment before the AI rollout amplified existing risks.

Deployment

The MSP deployed Cyflow and initiated a full scan of the retail company's Microsoft 365 tenant. Within an hour, the platform had analyzed SharePoint sites, OneDrive accounts, and shared files across the organization.

Initial Scan Results

The scan revealed hundreds of critical issues. Among the most alarming findings: a significant number of HR documents had been shared with the entire organization, making them accessible to every employee through both direct browsing and AI-powered search via Copilot.

Critical Finding

The exposed HR documents contained highly sensitive data including:

• Employee agreements and contracts
• Payroll information and salary details
• Management compensation data
• Accounts payable records
• Confidential HR correspondence

With Microsoft Copilot deployed, any employee could simply ask the AI questions like "What is the salary for the VP of Sales?" or "Show me employee agreements" — and get answers directly from these exposed documents.

Root Cause

Investigation uncovered a common but dangerous misconfiguration. The HR team had properly set up a SharePoint site with permissions restricted to the correct HR and finance groups. However, when they attached OneDrive files to that SharePoint site, those files retained their original sharing settings — which included "Everyone in the organization."

This meant that while the SharePoint site appeared secure, the actual documents linked from it were accessible to all employees. The disconnect between SharePoint permissions and OneDrive file sharing created a massive exposure invisible to standard admin tools.

Investigation

Using Cyflow's Inventory console, the MSP was able to trace the exposure path and identify exactly which files were affected. The platform showed:

• Which OneDrive files were attached to the SharePoint site
• The actual permission level on each file
• Who could access the files (everyone in the organization)
• Which files contained sensitive content based on AI classification

Remediation

The MSP worked with the client to immediately correct the permissions. All HR documents were restricted to the appropriate finance and HR groups only. The SharePoint site attachments were updated to inherit proper permissions rather than retaining organization-wide access.

The remediation was completed the same day, eliminating the risk before Copilot could surface sensitive HR data to unauthorized employees.

"We thought our SharePoint permissions were set correctly, but Cyflow showed us that the attached OneDrive files were exposed to everyone. Without this visibility, our employees could have accessed salary data through Copilot. We're incredibly grateful."

The AI Amplification Risk

This case highlights a critical security concern for organizations deploying Microsoft Copilot or similar AI tools. Traditional oversharing issues — where files are accessible to more users than intended — become dramatically more dangerous when AI can search and summarize that content on demand.

Before AI, an employee might never stumble across an HR document buried in someone else's OneDrive. With Copilot, they can simply ask a question and get the answer instantly.

Conclusion

This use case demonstrates why data exposure assessments are essential before deploying AI tools like Microsoft Copilot. The disconnect between SharePoint site permissions and attached OneDrive file permissions is a common misconfiguration that traditional admin tools don't surface.

Cyflow detected these issues within an hour of deployment and enabled same-day remediation. The MSP now includes Cyflow scans as a mandatory step before any AI rollout, ensuring that sensitive data isn't accidentally exposed to AI-powered search.