Key Risks

Shadow IT can raise exposure across identity, data, and operations - but not every unsanctioned tool is dangerous. Risk grows when core controls are bypassed: identities sit outside SSO/MFA, sensitive data leaves governed platforms, or critical work depends on vendors without clear ownership or support.

The magnitude depends on context - data sensitivity, external sharing, the scopes and tokens granted, scale of adoption, and whether contracts cover residency and processing. The categories below capture the most common ways those factors combine into real impact.

Data Exposure

  • Sensitive data in unmanaged apps/accounts
  • Weak sharing controls
  • No retention or lifecycle

Compliance Failures

  • GDPR/industry obligations unmet
  • Inadequate DPA coverage
  • Data locality or audit trail gaps

Identity Gaps

  • No SSO or MFA enforced
  • Personal logins used for work
  • Orphaned access after offboarding

Fragmented Data

  • Siloed systems without integration
  • Duplicated truths across tools
  • Poor reporting and governance

Unseen Extensions

  • Browser add-ons with broad permissions
  • Unvetted integrations exfiltrating data
  • Lack of inventory or review process

Cost & Vendor Sprawl

  • Duplicated or overlapping tools
  • Unmanaged renewals and spend
  • Hidden legal exposure in contracts

Real-world cases

Below are same cases that show how misuse of tools, misconfigured systems, and off-channel communications have led to fines, reprimands, and data exposure.

JPMorgan Chase

2021

US regulators fined JPMorgan $200M for employees’ use of WhatsApp and personal devices for business communications, violating record-keeping requirements. Read more

BNP Paribas

2023

BNP Paribas and other banks were fined by US regulators for staff’s use of WhatsApp and other unapproved channels, failing to retain required business records. Read more

Deutsche Bank

2022

Deutsche Bank warned employees against deleting WhatsApp messages as regulators cracked down; some staff faced bonus cuts for off-channel use. Read more

Samsung Electronics

2023

Samsung banned generative AI tools after employees pasted confidential code and meeting notes into ChatGPT, risking data leaks to third parties. Read more

Medicals Nordic

2021

Denmark’s DPA proposed a DKK 600,000 fine after staff shared sensitive COVID-19 test data via WhatsApp groups used outside sanctioned systems. Read more

International Flavors & Fragrances

2024

The European Commission fined IFF €15.9M after a senior employee deleted WhatsApp messages during a dawn raid-an obstruction tied to off-channel communications. Read more

Tesla

2023

A Reuters investigation revealed Tesla employees shared private customer images in internal Slack groups, exposing risks of uncontrolled collaboration tools. Read more

Sepura

2022

Ofcom fined Sepura £1.5M after senior staff exchanged competitively sensitive information with Motorola via text messages during a procurement-an off‑channel comms failure with competition law consequences. Read more

H&M

2020

Hamburg’s DPA fined H&M €35.3M for unlawful employee monitoring and storing sensitive data in poorly governed systems-illustrating how unmanaged practices can trigger record penalties. Read more