BIPI
BIPI

DeepSeek Security Analysis: Data Exposure, Model Risks, and Enterprise Assessment

Threat Intelligence

DeepSeek's rapid rise introduced serious security concerns — an exposed ClickHouse database, data residency in China, and weaker model safety guardrails. A structured enterprise risk assessment covering what matters and what to do about it.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 5, 2025 · 12 min read

#deepseek#ai-security#data-exposure#china-risk#enterprise-ai

DeepSeek's January 2025 release of its R1 reasoning model sent shockwaves through the AI industry — matching or exceeding GPT-4o performance at a fraction of the training cost. Within days, security researchers discovered that the company had left a ClickHouse database exposed to the internet containing over one million rows of chat logs, API keys, system prompts, and backend operational data. The discovery set off a global reassessment of the risks of using Chinese-origin AI services in enterprise contexts.

The security concerns around DeepSeek cluster into three distinct categories: operational security failures in the company's own infrastructure, data governance and sovereignty risks inherent to a Chinese-headquartered service, and model-level safety and output risks when the model is deployed either via the API or as a locally-run open-weight version.

1M+
Rows exposed in DeepSeek's unprotected ClickHouse database
10+ countries
Governments that issued guidance restricting or banning DeepSeek on official devices
Open-weight
Model weights freely downloadable — risks shift to the deploying organisation

The ClickHouse Database Exposure

Wiz Research discovered the exposure on January 29, 2025. A ClickHouse instance was accessible without authentication. The database contained log streams including full chat histories from users who had interacted with deepseek.com, API keys and secret keys for DeepSeek internal services, backend system prompts used to configure model behaviour, software version and deployment metadata, and plaintext user email addresses.

Data Sovereignty and Chinese Regulatory Exposure

DeepSeek is incorporated in China and subject to the PRC's National Intelligence Law, which requires Chinese organisations and citizens to support, assist, and cooperate with national intelligence work. Unlike extraterritorial legal processes in Western jurisdictions, PRC intelligence directives are not subject to transparency or challenge mechanisms. Data stored on servers in China — or accessible by employees in China — is effectively accessible to the Chinese state on demand.

  • DeepSeek's privacy policy confirms data is stored on servers located in China
  • Keystroke dynamics and behavioural metadata are collected in addition to message content
  • No data processing agreement available that meets GDPR Article 28 requirements
  • No SCCs or equivalent transfer mechanism for personal data from EU to China
  • US Congressional review prompted NDAA-equivalent legislation restricting federal use

Model-Level Security Analysis

Security researchers from multiple firms conducted red-teaming exercises on DeepSeek R1 and V3. The models demonstrated significantly weaker safety guardrails than comparable Western models, particularly around content related to bioweapons synthesis, cybersecurity exploit development, and political content sensitive to CCP interests. Jailbreak success rates on standard benchmark suites were substantially higher than GPT-4o or Claude 3.5 Sonnet.

  • HarmBench jailbreak success rate: approximately 83% on DeepSeek R1 vs 22% on GPT-4o per Adversa AI research in February 2025
  • Bioweapons synthesis queries: minimal filtering compared to Western frontier models
  • Cybersecurity exploit generation: compliant with detailed exploit requests in most tested configurations
  • Political content censorship: hard-coded refusals for Tiananmen Square, Taiwan independence, and Uyghur topics
  • Prompt injection susceptibility: significantly more vulnerable than frontier models with system prompt protection

Open-Weight Deployment Risks

Because DeepSeek released model weights publicly, organisations can download and run the model locally, eliminating the data sovereignty concern. However, this shifts the risk profile rather than eliminating it. Locally-run open-weight models remove the input filtering that the API applies. Fine-tuning the weights is straightforward, allowing threat actors to strip remaining safety filters entirely. The model architecture itself may contain undisclosed backdoors — a concern that is extremely difficult to verify through static analysis of billions of parameters.

Enterprise Risk Assessment Framework

  1. Inventory all DeepSeek usage: API, web interface, and any locally deployed instances across the organisation
  2. Classify data sensitivity: prohibit submission of any PII, confidential IP, or regulated data to DeepSeek API
  3. Evaluate open-weight deployment: self-hosting removes data sovereignty risk but requires security hardening
  4. Assess alternatives: OpenAI, Anthropic, Google, or domestic cloud AI services offer comparable capability with better security posture
  5. Update AI use policy: explicitly address Chinese-origin AI services and define approved vs. prohibited contexts
  6. Incident response posture: assume any data submitted to DeepSeek before Q2 2025 may be compromised
DeepSeek is a security event disguised as a product launch. The exposed database, the data sovereignty risks, and the model safety gaps combine into a threat profile that most enterprise security teams have not yet fully assessed.
Italy, Australia, Taiwan
Early movers to ban DeepSeek on government devices following exposure disclosure
83%
Jailbreak success rate on DeepSeek R1 on HarmBench vs 22% for GPT-4o
Zero
GDPR-compliant transfer mechanisms available for EU data sent to DeepSeek

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.