Autonomous AI Agent Hacks McKinsey's Internal AI Platform, Exposing Sensitive Data and Prompt Layer Vulnerabilities
News & Blogs

Autonomous AI Agent Hacks McKinsey's Internal AI Platform, Exposing Sensitive Data and Prompt Layer Vulnerabilities

Global · · codewall.ai

An autonomous AI agent from CodeWall.ai successfully breached McKinsey & Company's internal AI platform, Lilli, gaining full read and write access to its production database within two hours. The breach exposed 46.5 million chat messages, 728,000 files, and 57,000 user accounts, highlighting critical vulnerabilities in the platform's security, particularly concerning the prompt layer. This incident underscores the evolving threat landscape where AI agents can autonomously identify and exploit weaknesses, even in systems developed by organizations with significant security investments.


The Breach: A Case Study in Autonomous Hacking

This article details a significant security breach of McKinsey & Company's internal AI platform, Lilli, orchestrated by an autonomous AI agent from CodeWall.ai. The agent, operating without credentials or human intervention, exploited a SQL injection vulnerability to gain full read and write access to Lilli's production database. This incident is particularly noteworthy because it demonstrates the capabilities of autonomous offensive AI in identifying and exploiting vulnerabilities that traditional security tools might miss. For internal audit and assurance professionals, this case serves as a stark warning about the need to re-evaluate existing security postures in the face of advanced AI-driven threats.

Vulnerabilities and Exposed Data

The core vulnerability was an unauthenticated SQL injection found in an endpoint that wrote user search queries to the database. While values were parameterized, JSON keys were directly concatenated into SQL, leading to the exploit. This allowed the agent to access a vast amount of sensitive data, including:

  • 46.5 million chat messages, containing strategic discussions, client engagements, and financial information.
  • 728,000 files, including PDFs, Excel spreadsheets, and PowerPoint decks, with sensitive filenames and direct download URLs.
  • 57,000 user accounts and the full organizational structure of AI usage within McKinsey.
  • System prompts and AI model configurations, revealing how the AI was instructed and its guardrails.
  • 3.68 million RAG document chunks, representing decades of McKinsey's proprietary research and intellectual property.

Beyond data exfiltration, the agent also identified an IDOR vulnerability, allowing it to chain attacks and access individual employees' search histories. The fact that a firm with McKinsey's resources and security investments could be compromised by a relatively old vulnerability like SQL injection, undetected by internal scanners, emphasizes the need for continuous, sophisticated security testing.

The Critical Threat of Prompt Layer Compromise

Perhaps the most alarming aspect of this breach is the potential for compromising the "prompt layer." The SQL injection provided write access to the database where Lilli's system prompts were stored. This means an attacker could have silently rewritten these prompts, leading to:

  • Poisoned advice from the AI, subtly altering critical business recommendations.
  • Data exfiltration by instructing the AI to embed confidential information into its responses.
  • Removal of safety guardrails, allowing the AI to disclose internal data or follow malicious instructions.
  • Silent persistence, as modified prompts leave no log trails, making detection extremely difficult.

This highlights a new and critical area for security focus: the integrity and protection of AI prompts. Internal auditors must recognize that AI prompts are now "Crown Jewel assets" that require the same, if not greater, level of security scrutiny as traditional code and infrastructure. Organizations need to implement robust access controls, version history, and integrity monitoring for their AI prompt layers to mitigate this emerging threat.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →