And in another similarity to conventional attack types, “nation-states are probably one of the biggest risks here because they have the ability and resources to invest in this [type of attack],” says David Youssef a managing director at FTI Consulting and leader of the North America incident response efforts for the firm’s cybersecurity practice.

Bad actor motivations for poisoning attacks are also familiar, according to security experts, who say hackers may target AI systems for the same reasons they launch other types of cyberattacks, such as to cause disruption or damage an organization. Some say hackers may also use poisoning attacks to gain access to proprietary data or to get money.

“Could someone use this for extortion? Absolutely,” says Erik Avakian, technical counselor at Info-Tech Research Group and former state CISO for the Commonwealth of Pennsylvania. “If a hacker can compromise a system by poisoning, they can use that; they can say, ‘We poisoned the model, now you have to pay us money [to get information on what we did].’”