Shared Context: How an MCP Server Exposed a Private Equity Firm

What used to be theoretical AI risks, like the discovery and exploitation of zero-day vulnerabilities, are now real events. Another risk now being observed in-the-wild: sensitive business data leaking from misconfigured MCP servers. Compared to data leaks of the past, certain features of MCP servers make them particularly concerning. MCP servers are not just one product that can be misconfigured, but a gateway that can be connected to any technology to turn it into a data leak vector. And while prior research has demonstrated that publicly accessible MCP servers expose tools of potential concern, here we show that the data behind those tools is accessible and of meaningful business impact.

In this case, an MCP server connected to a private equity firm’s Snowflake account gave us unrestricted read access to 8,385 database tables, exposing all the contact data, financial information, and infrastructure credentials used to run a business with billions of dollars of assets under management. 

MCP Server Security Risks

Model Context Protocol (MCP) is a specification for making external systems accessible to AI agents. Let’s say you want Claude to schedule a meeting on your Google Calendar. To do so it would read existing events from your calendar using the Calendar API, “think” about when to schedule the meeting using Claude’s large language model (LLM), then send a properly formatted request to the Calendar API to add the event. A Google Calendar MCP server would provide that translation layer between Google Calendar’s API specification and the natural language processing of Claude’s LLM. 

The danger is that those MCP servers then provide another entry point to the systems from which they are sending and receiving messages. If the MCP server in our example is allowed to read from my calendar, then anyone who can communicate with the MCP server can use it to get information from the calendar. When configured without authentication and exposed to the internet, they create an interface for anyone in the world to access whatever data is on the other side. 

This makes MCP security quite important. 

Previous studies have demonstrated that users are already setting up MCP servers accessible to the internet with some level of missing access controls. Over one thousand MCP servers are accessible over the internet and allow anonymous users to list the “tools” that each server makes accessible. For these servers to actually expose data, however, those tools must also lack authentication checks and provide access to sensitive data. Verifying this final, crucial step is what allows us to conclude whether an MCP server is actually leaking data or is just a wrapper for a public API. The prior research established a necessary precondition for impactful data leakage; here we show it is happening. 

In contrast to other data leak vectors, MCP leaks are especially dangerous as a means to expose data from arbitrary sources. For products like cloud storage buckets or code repositories, the controls to prevent leaks are integral to the technology itself. If you don’t want your Amazon S3 bucket or Github repo to be public, go to the configuration settings and make them private. When organizations are adopting those specific technologies, they can conduct salient user education on how to configure them securely.

In contrast, MCP servers connect to arbitrary data stores and applications, circumventing whatever security design has gone into those products. Even databases with a private network address can have their data exposed if they are accessible via an MCP server with a public address. While other data leak vectors are typically the result of security design decisions for a specific product, MCP servers are a DIY free-for-all that allow users to make anything insecure. 

Analysis of MCP Leak Found In the Wild

On Friday, March 20 UpGuard detected a publicly-accessible MCP server with sensitive data and notified the responsible entity. When the data was still accessible on Monday, March 23, UpGuard emailed two employees at personal addresses listed on the site. The data became inaccessible later that day. They never responded to UpGuard or publicly disclosed the incident. 

The data exposed by this MCP server puts numbers to the blast radius of medium-sized private equity firm and illustrates how one leaky MCP server can provide a portal to vast data stores. As the use of an MCP server to connect their workers’ AI tools to their data store suggests, the firm was already advanced with their AI adoption and technical sophistication. For employees, this would enable their AI tools to retrieve any information they could want. It also made it all accessible to the world. 

Contact information

Across the eight thousand tables of data there were 696 columns related to email. Some of the most concentrated collections of PII were in two CONTACT tables. The current version had 21,620 records with columns for 184 data points like FIRSTNAME, LASTNAME, EMAIL, ADDRESS,  BUSINESSPHONE, and  MOBILEPHONE. Furthermore, specific contact data points called the executive assistants, who are typically targeted because of their ability and willingness to act on behalf of executives, with data for  ASSISTANTEMAIL, ASSISTANTNAME, and ASSISTANTPHONE. 

Another CONTACT table in the DATA_HISTORY had 17,295,562 rows with the same columns. It’s hard to believe that a ~200 person PE firm is really engaging with seventeen million contacts. Those are likely exports from other contact databases that have been moved to an archive separate from the 21,000 active contacts. 

Business transaction secrets

To make a successful spearphishing attempt on one of those 21,000 current contacts, the attacker would need additional context that only an insider would know. For that, tables like DEAL with 7497 rows detailed the relevant contacts, status of engagement, most recent interaction date, and notes on funding and borrowing. The PROPOSAL table, with 514 rows, offered a more select view of deals that had progressed to a point where an attacker might insert themselves into a planned transaction. DEALFUNDING, with 463 rows, gives even more granular insight, like the ASKAMOUNT, COMMITMENTAMOUNT, capital provider, lender, closing fees, and more than 100 other data points detailing the financial structure. 

Beyond the structured data of the DealCloud CRM, the MCP also had access to raw document stores for what appeared to be a custom built AI tool. This tool had access to employee’s email raw email contents, attachments, calendar events, and AI tool usage. 

Internal business secrets

The database collection this MCP server accessed did not just contain data for external-facing operations. It appeared to be in the process of handling internal operations, though the relatively small number of rows suggest this was just starting. Payroll, finance, safety reporting and more were also stored 

Administrative system credentials. 

Finally, the MCP server had access to credential sets for employees to query data and use additional AI tools. These included tables for named, identifiable investment operators at the firm, along with more generic administrator credentials for a plethora of services: Cloudflare, Dropbox, Figma, AWS Administrator, AWS IAM, AWS Bedrock, Azure, Tailscale for remote access, Cursor, Deepgram for meeting transcription, Recall.ai for online meeting capture, hosted databases, and more. As with the CRM data, the credential set is so extensive as to suggest it is exhaustive of every API key and secret for the company’s services. The administrator email address for the  accounts, recorded multiple times throughout the data set, is that of the firm’s founder and managing partner. 

PII for customers, prospects and employees; email contents, meeting notes, and financial offers; credentials for infrastructure and SaaS apps; the MCP offered the gateway to total data compromise of confidentiality. 

Broader MCP Risks 

Through the exposure, this business put themselves and their current and potential business partners at risk. While that could result in expensive losses for a firm with $4B of assets under management, the macroeconomic motives driving their AI adoption illustrate how the impacts of MCP leaks could get much larger.

AI Adoption Makes MCP a Single Point of Failure

One of the most promising, or threatening, applications of AI is in the world of knowledge work: architects, accountants, lawyers, doctors, wealth managers, and other professional services where high compensation is a function of the intensive training, high skill, and relative scarcity of those workers. On their own, large language models (LLMs) can produce a convincing but dangerously incomplete facsimile of expert work product. Like real knowledge workers, LLMs require specific, contextually relevant information to correctly analyze a situation. That is exactly what MCP servers provide.

While the missing security configurations made the end result a near-disaster, the intention was good: to compete with AI, investors need to have the best that AI can offer them. Large sets of financial performance data, detailed information on past interactions, CRMs full of contacts, state of the art AI tools, and MCP to connect them all. That set up is what AI adoption looks like, but it makes MCP security a single point of failure for the entire business. 

High-Value Targets, Under-Resourced Defenders

The same firms that fit the profile for MCP adoption are also desirable targets for attackers. These organizations are likely to possess highly confidential and valuable information, and to habitually exchange large sums of money with outside parties. The FBI has repeatedly warned about hackers targeting law firms, for example, because they hold data that is confidential and even materially useful for insider trading. 

At the same time that these firms hold valuable data and hefty bank balances, they are also structurally under-equipped for information security management. Professional services firms tend to be small and concentrate headcount in their core revenue-driving competencies. Among the 418,181 law firms in the US, the average number of employees is 3.3. For America’s 19,000 architect groups, 75% have under ten employees. Despite consolidations in healthcare, 155,000 medical practices have 50 or fewer employees. The average financial advisor focused on individuals as clients has $365M in assets under management and nine employees. Professional services firms are lucky to have an  IT generalist in-house, much less someone specialized in MCP security.

Cascading Risk Through Vendor Relationships

Even worse, the vulnerability of knowledge worker firms is not just their problem; their services inherently position them as critical vendors to all of their clients. For a private equity firm, that extends to their portfolio companies and the entire segment where their core activity is proposing multi-million dollar transactions. Legal secrets, medical data, financial holdings– professional services don’t just sell an activity, they provide a level of trust that allows them to handle these high-value information assets. Just as equity funds gain leverage by borrowing additional money against their fund, so too they multiply the potential damage of a data security incident. 

Conclusion

The case documented here is no longer a thought experiment. A single misconfigured MCP server collapsed the boundary between a private equity firm's most sensitive data — contacts, deal economics, employee email, and the master credential set for every connected service — and the open internet. The technologies that make AI agents genuinely useful for knowledge work are the same technologies that, configured carelessly, hand attackers a single switch that turns off an entire firm's confidentiality. The fixes are not exotic: authentication on every MCP server, network restrictions that keep them off the public internet, and an inventory that treats each MCP connection as a privileged pathway into the system behind it. As more firms race to give their AI tools the context that makes them powerful, the discipline of treating that context as a crown-jewel attack surface has to keep pace, or the attackers will.