Connect with us

Technology

Why the Microsoft 365 Copilot bug matters for data security

Published

on

Why the Microsoft 365 Copilot bug matters for data security

NEWYou can now listen to Fox News articles!

You trust your email security settings for a reason. So when an AI assistant quietly reads and summarizes messages marked confidential, that trust takes a hit.

Microsoft says a bug in Microsoft 365 Copilot allowed its AI chat feature to process sensitive emails since late January.

The issue bypassed Data Loss Prevention policies that organizations rely on to protect private information. Put simply, emails that were supposed to stay locked down were being summarized anyway.

Sign up for my FREE CyberGuy Report 

Advertisement

Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter    

Microsoft 365 Copilot’s work chat interface sits at the center of the issue after a bug allowed it to summarize confidential emails. (Microsoft)

Microsoft 365 Copilot bug summarized confidential emails

Microsoft says a coding error impacted Microsoft 365 Copilot Chat, specifically the “work tab” feature. The AI assistant helps business users summarize content, draft responses and analyze information across Word, Excel, PowerPoint, Outlook and OneNote.

Beginning Jan. 21, an internal bug labeled CW1226324 caused Copilot to read and summarize emails stored in Sent Items and Drafts folders.

The real concern runs deeper. Several of those messages carried confidentiality or sensitivity labels.

Advertisement

Companies apply those labels along with DLP policies to block automated systems from accessing restricted content. Despite those safeguards, Copilot still generated summaries. 

We reached out to Microsoft, and a spokesperson provided CyberGuy with the following statement:

“We identified and addressed an issue where Microsoft 365 Copilot Chat could return content from emails labeled confidential authored by a user and stored within their Draft and Sent Items in Outlook desktop. This did not provide anyone access to information they weren’t already authorized to see. While our access controls and data protection policies remained intact, this behavior did not meet our intended Copilot experience, which is designed to exclude protected content from Copilot access. A configuration update has been deployed worldwide for enterprise customers.” 

Why the Microsoft 365 Copilot bug matters for data security

AI tools feel helpful. They save time and reduce busy work. But they also rely on deep access to your data. When safeguards fail, even temporarily, sensitive content can move in ways you did not expect.

YOUR PHONE SHARES DATA AT NIGHT: HERE’S HOW TO STOP IT

Advertisement

For businesses, that could mean:

Legal discussions summarized outside intended controls

Financial projections processed despite restrictions

HR communications are exposed to automated analysis

Even if no data leaves the organization, the bypass itself raises concerns about how AI integrates with enterprise security systems.

Advertisement

Business users rely on Copilot to streamline work, but a recent bug raised concerns about how it handles sensitive email content. (Microsoft)

How Microsoft is fixing the Microsoft 365 Copilot bug

Microsoft says it began rolling out a fix in early February. The company continues to monitor deployment and is contacting some affected users to verify the fix works.

However, Microsoft has not provided a final timeline for full remediation. It has also not disclosed how many organizations were affected.

The issue is tagged as an advisory, which usually signals limited scope or impact. Still, many security professionals will want deeper clarity before feeling comfortable.

What this Microsoft 365 Copilot issue reveals about AI security

This incident highlights something many companies are wrestling with right now. AI assistants sit inside productivity platforms. They need access to email, documents and collaboration tools to work well.

Advertisement

TIKTOK AFTER THE US SALE: WHAT CHANGED AND HOW TO USE IT SAFELY

At the same time, those platforms contain your most sensitive information. When AI features expand quickly, security policies must evolve just as fast. Otherwise, even a small code mistake can create unexpected exposure.

The Copilot chat feature was designed to boost productivity, yet a code error let it process emails labeled confidential. (Microsoft)

Ways to stay safe after the Microsoft 365 Copilot bug

If your organization uses Microsoft 365 Copilot, here are practical steps to reduce risk:

1) Review Copilot access settings

Work with your IT team to confirm which folders and data sources Copilot can access.

Advertisement

2) Revalidate DLP policies

Test sensitivity labels and DLP (Data Loss Prevention)  rules to ensure they block AI processing as intended.

3) Monitor advisory updates

Stay current on Microsoft service alerts and verify that the fix is fully deployed in your tenant.

4) Limit AI scope during investigations

If you have concerns, consider temporarily restricting Copilot features until verification is complete.

5) Train employees on AI boundaries

Remind staff that AI assistants can process drafts and send messages. Encourage careful handling of sensitive content.

6) Audit Copilot activity logs

Review audit logs to see whether Copilot accessed or summarized labeled emails. This helps determine actual exposure rather than assumed risk.

Advertisement

7) Review sensitivity label configuration

Confirm that confidential labels are configured to block AI processing where required. Misconfigured labels can create gaps even after a bug is fixed.

8) Reassess retention and draft policies

Because the issue involved Sent Items and Drafts, evaluate whether sensitive drafts should be stored long-term or deleted after sending.

9) Limit Copilot to specific user groups

Instead of enabling Copilot organization-wide, consider a phased deployment to departments with lower sensitivity exposure.

10) Conduct a post-incident security review

Use this moment to reassess how AI tools integrate with compliance controls. Treat it as a learning opportunity rather than a one-time glitch.

Pro Tip: This Copilot bug centers on enterprise controls. Even so, AI tools operate on your devices and accounts, so keeping software up to date and using strong antivirus software adds an important layer of defense. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com

Advertisement

Considering a more private email provider

Enterprise AI bugs raise a bigger question: how much access should email platforms have to your data in the first place? If you want an added layer of privacy beyond mainstream providers, privacy-focused email services are worth exploring.

Some offer end-to-end encryption, support for PGP encryption and a strict no-ads business model that avoids scanning messages for marketing purposes.

AI WEARABLE HELPS STROKE SURVIVORS SPEAK AGAIN

Many also allow you to create disposable email aliases, which can reduce spam and limit exposure if one address is compromised.

While no provider is immune to software bugs, choosing an email service built around privacy rather than data monetization can limit how much of your information is accessible to automated systems in the first place.

Advertisement

For individuals, journalists and small businesses especially, that added control can make a meaningful difference.

For recommendations on private and secure email providers that offer alias addresses, visit Cyberguy.com

Kurt’s key takeaways

AI assistants are becoming part of daily work life. They promise speed, efficiency and smarter workflows. But convenience should never outrun security.

This Copilot bug may have a limited impact. Still, it serves as a reminder that AI tools are only as strong as the guardrails behind them.

When those guardrails slip, even briefly, sensitive information can move in unexpected ways. As AI becomes more embedded in business software, trust will depend on transparency, fast fixes and clear communication.

Advertisement

Here is the real question: If your AI assistant can see everything you write, are you fully confident it respects every boundary you set? Let us know by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter 

Copyright 2026 CyberGuy.com.  All rights reserved.  

Advertisement

Related Article

149 million passwords exposed in massive credential leak

Technology

Google’s Nest Thermostat has hit its best price of the year

Published

on

Google’s Nest Thermostat has hit its best price of the year

If you’re looking for a relatively affordable way to cut down on cooling costs, Google’s Nest Thermostat can help. It’s packed with smart controls and energy-saving features, and right now it’s on sale in white for $79 ($50 off), which is its best price of the year, at Amazon.

The smart thermostat is quick to install and makes it easy to adjust your home’s temperature whether you’re relaxing in bed or on your way home thanks to the Google Home app. You can also create schedules and control it with your voice using Google Assistant, Alexa, or another Matter-compatible voice assistant.

Once it’s set up, the Nest Thermostat can automatically turn the temperature down when you’re away to help reduce unnecessary energy use, while Google’s Savings Finder feature suggests additional ways to save over time. It also monitors your HVAC system and can alert you if something doesn’t seem right, making it easier to stay on top of maintenance before small issues become bigger, more expensive ones. If you’re eligible, Nest Renew can also automatically shift some of your heating and cooling to times when electricity is cleaner or cheaper.

That said, this is Google’s entry-level model from 2020, so you do miss out on some of the premium features found on the latest Nest Learning Thermostat. Unlike the flagship version, it won’t learn your schedule automatically over time, for example, and lacks support for Nest Temperature Sensors that let you prioritize the temperature in a specific room. Even so, if all you want is an easy way to adjust your home’s temperature remotely and potentially lower your energy bills, the Nest Thermostat is still a solid investment at this price.

Continue Reading

Technology

Medical identity theft follows you into the doctor’s office

Published

on

Medical identity theft follows you into the doctor’s office

NEWYou can now listen to Fox News articles!

The Justice Department recently charged 455 people in its annual National Health Care Fraud Takedown. The cases involve more than $6.5 billion in alleged false claims. More state Medicaid units took part than in any prior year. Ninety of the accused are doctors or other licensed medical professionals. The DOJ says prosecutors still must prove the charges in court.

Many schemes used other people’s medical identities. Prosecutors also added aggravated identity theft charges in cases across dozens of states. In one case, the co-owner of a Virginia mental health company allegedly paid homeless people with hotel stays. Prosecutors say the company used their Medicaid numbers, then billed Medicaid for crisis services the patients never got.

For the people whose numbers got used, the case file may eventually close. Their medical records may not be so easy to fix. Once someone else’s treatment shows up under your name, it can add wrong information to your chart. It can also use up insurance benefits you may need later. That is harder to undo than canceling a credit card.

Sign up for my FREE CyberGuy Report

Advertisement
  • Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
  • For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
  • Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

DR OZ WARNS MEDICARE SCAMMERS ARE STEALING BILLIONS — AND YOUR PERSONAL INFORMATION COULD BE NEXT

Medical identity theft can put someone else’s claims, prescriptions or diagnoses into your health records, creating problems that can follow you into a doctor’s office. (iStock)

The identity thief’s treatment gets written into your file

Medical identity theft happens when someone uses your name, Social Security number (SSN), health insurance account number, or Medicare number to see a doctor, fill a prescription, buy medical equipment, or submit a claim, according to the Federal Trade Commission (FTC).

When care is billed under your name, the thief’s health information can blend into yours. The FTC warns that mixed records can affect the care you’re able to get and the benefits you are able to use. A blood type, a drug allergy, a diagnosis, or a prescription that belongs to a stranger can sit in the file a physician reads before treating you.

Data breaches can feed the market for medical identity theft

Hospitals and insurers hold the exact records that make the fraud work, and those records are stolen often. This does not mean every healthcare breach leads to fraud. However, it explains why your insurance number, Medicare number, SSN and medical records can become valuable long after a breach notice arrives.

This spring, NYC Health + Hospitals reported that an intruder had copied files that may have included health insurance information, medical information, biometric data, billing data and other personal information. The breach was later reported to affect roughly 1.8 million current and former patients and employees.

Advertisement

Once a name, SSN, insurance number, Medicare number or medical record reaches a criminal marketplace, it can be resold to operators who bill under someone else’s identity.

Treat your insurance card like a credit card

Your health insurance and Medicare numbers are what these operations need, so the FTC recommends guarding them the way you would a payment card.

  • Keep enrollment forms, benefit statements, and prescription labels somewhere secure, and shred them before throwing them out.
  • When a doctor’s office asks for your SSN, ask whether it can use another identifier or the last four digits instead.
  • Be wary of anyone who calls, texts, or emails offering free braces, genetic tests, or medical supplies in exchange for your Medicare number; several of the schemes in the June takedown billed Medicare for exactly those items.
  • If you are on Medicare, create or log in to your secure Medicare account and review your claims. You can also check your Medicare Summary Notice for services, supplies or equipment you do not recognize. If something looks wrong, call 1-800-MEDICARE.

HOSPICE FRAUD USES STOLEN IDENTITIES FOR FAKE PATIENTS

Experts urge patients to treat insurance cards like credit cards and quickly challenge unfamiliar medical bills, claims or benefits notices. (iStock)

Your credit report may never flag this fraud

Because a fraudulent medical claim runs through insurance and provider systems instead of a credit check, it skips the alerts most people rely on.

Here’s what the FTC says you should look out for:

Advertisement
  • A bill or an Explanation of Benefits (EOB) statement for care you never received
  • A call from a debt collector about a medical debt you do not owe
  • A medical collection you do not recognize on your credit report
  • A notice from your insurer that you have reached your benefit limit
  • A Medicare Summary Notice that lists services, supplies or equipment you never received

What to do first if a medical claim looks wrong

If a bill, EOB or Medicare notice shows care you never received, move quickly and keep everything in writing.

1) Call your insurer or Medicare directly

Call your insurer or Medicare using the number on your card, not a number from a random text, email or voicemail.

2) Get the claim details

Ask for the provider name, date of service, claim number and service details.

3) Request the records in writing

Contact the provider in writing and request the medical or billing records tied to that claim.

4) Report the error

Report the error to your insurer’s fraud department.

5) File an identity theft report

File a report at IdentityTheft.gov if your medical identity was used. That gives you a recovery plan and documentation you may need if fraudulent bills or collections show up later.

Advertisement

6) Save every document

Keep copies of every bill, EOB, letter, portal message, police report and case number.

Correcting a medical file is slower than disputing a charge

Request your records from every provider, clinic, pharmacy, lab and insurer the thief may have used, then report each error in writing. Under HIPAA, a provider generally has 30 days to give you access to your records after a written request, with a possible 30-day extension.

Fixing the record itself can take longer. HHS says a covered provider or health plan usually has up to 60 days to act on a request to amend a medical record, with a possible 30-day extension in certain cases. If the provider or plan created the wrong information, it must amend inaccurate or incomplete information.

There’s one catch, though: a provider may refuse to release records that now contain a stranger’s information, citing that person’s privacy. If that happens, ask for the provider’s privacy officer or patient advocate. You can also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you do not get your records or an explanation within the required window.

TEXAS DATA BREACH HITS 3M LICENSE CUSTOMERS

Advertisement

Stolen Medicare, Medicaid or insurance numbers can be used to bill for care, medical equipment or prescriptions patients never received. (kali9/Getty Images)

A credit freeze alone won’t stop a claim under your insurance

A freeze blocks new accounts, but it does nothing about a claim filed with your insurance number. Because medical identity theft can move without touching your credit file, monitoring where your personal information appears is the earliest way to act on it.

An identity theft protection service can monitor the dark web, data broker sites and people-search sites for exposed SSNs, driver’s license numbers, medical ID numbers and email addresses. It can also track all three credit bureaus for medical collections that may follow and flag public-record changes tied to your name.

If misuse happens, some services include fraud resolution support to help you request records, dispute fraudulent claims and work with providers, insurers and credit bureaus. Some plans also include identity theft insurance for eligible recovery costs.

No service can prevent every misuse of your medical identity. However, ongoing monitoring may flag exposed information before another person’s treatment reaches your records and your insurance.

Advertisement

See my tips and best picks on Best Identity Theft Protection at CyberGuy.com.

Kurt’s key takeaways

Medical identity theft hits in a place most of us rarely check: our health records. A stolen credit card can usually be canceled quickly. A stolen Medicare or insurance number can create fake claims, wrong diagnoses and benefit headaches that follow you long after the fraud case ends. I would not wait for a credit alert here. Check your EOBs, Medicare Summary Notices and insurer portals for visits, prescriptions or equipment you never received. Also, treat your insurance card like a payment card. Do not give the number to anyone who calls, texts or emails out of nowhere with a free offer. The most important thing is to act fast. Call your insurer or Medicare, ask for the claim details and request your medical records in writing. Then file at IdentityTheft.gov, so you have the paperwork you need if fraudulent bills or collections show up later.

Have you ever spotted a medical bill, insurance claim or EOB for care you never received? Let us know by writing to us at CyberGuy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report

Advertisement
  • Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
  • For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
  • Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

Copyright 2026 CyberGuy.com. All rights reserved.

Continue Reading

Technology

Meta is reportedly working on smart glasses that would be recording all the time

Published

on

Meta is reportedly working on smart glasses that would be recording all the time

Meta might be the next company to make an always-on AI wearable. The company is working on prototype “super sensing” always-aware smart glasses that could continuously record audio and snap photos “every few seconds,” according to the Financial Times. The wearer could then ask Meta AI about the captured audio and images.

However, the images and audio might not be directly available to the user. Here’s how the FT describes one way the glasses could use the data:

In one proposed system, raw footage and audio would not be stored by Meta or made available to the user, several people said. Instead, the metadata from that audio and images would be extracted and uploaded to the server for Meta’s AI to query, which proponents argue would have fewer privacy implications.

But currently, Meta is planning for the LED recording indicator to remain off in “super sensing” mode, the FT reports. In a July 2025 whitepaper, the company said that it would reserve the LED indicator for “active capture” scenarios where the user is saving photos or videos, and leave it off during “AI Feature” use — such as scanning a menu — to avoid users becoming too used to the indicator. (If the indicator was on during the “super sensing” mode, it might also be harder to know when the glasses are actually recording video.)

Meta is also discussing if it would use the captured data for training its AI models. It may also bring the “super sensing” features to glasses it has already released, the FT says.

“While we don’t comment on internal prototypes, we’re committed to getting our glasses right because they need to be loved by both people wearing them and those around them,” Meta spokesperson Dave Arnold says in a statement to The Verge. Arnold also notes that “Our approach has been to develop new technologies that will help people throughout their day, with privacy built in from the ground up.”

Advertisement

Meta hasn’t been shy about some type of always-aware glasses being a possibility. CEO Mark Zuckerberg, in the company’s Q1 2026 earnings call, said that he was “really excited to see the glasses evolve from being able to answer questions to being able to be a personal agent that’s with you all day long, helping you remember things and achieve your goals.” In a March blog post about new Ray-Ban Meta glasses, the company wrote that “with ongoing software updates, Meta AI on glasses will transition from something you have to prompt with a question each time, to a more continuous, in-the-moment assistant that can help throughout the day.”

Continue Reading
Advertisement

Trending