1.9% of the Estate Scanned.
$27.4M in Extrapolated Risk.
A Canadian and US oil & gas group spanning 8 companies discovered $527,823 in direct privacy data risk across just 22 mailboxes — representing 1.9% of the total data estate. Extrapolated across the full environment, the estimated exposure reaches $27.4M. Only 4.5% of mailboxes are currently ready for AI deployment.
A multi-entity oil & gas group with unmanaged sensitive data across M365 — and a Copilot deployment blocked by its own data posture.
Across 8 companies operating in Canada and the United States, the group’s M365 environment had accumulated years of sensitive privacy and security data with no systematic governance. Travel workflows, recruiting processes, and field operations each generate sensitive information — and virtually all of it was sitting unclassified in email.
The assessment covered only 1.9% of the total data estate, yet found $527,823 in quantified risk — a signal that projects to $27.4M across the full environment. With Microsoft Copilot deployment on the agenda, 96% of users require data remediation before AI can be safely introduced.
Travel workflows are the dominant risk source
Travel information accounts for 34% of all privacy data found. In the oil & gas sector, field crew travel, accommodation bookings, and credit card authorizations flow primarily through email — creating a concentrated, unmanaged exposure in Exchange Online.
Copilot deployment is blocked by data posture
Only 4.5% of Exchange mailboxes meet the data hygiene prerequisites for Microsoft Copilot. 21 of 22 assessed mailboxes require remediation, and 96% of users need to complete a data review before AI can be responsibly deployed.
Growing at 4.06% per month with no containment
Privacy data is accumulating at 4.06% monthly — adding approximately 83 new at-risk items and $14,402 in additional exposure each month from the assessed scope alone. Across the full estate, the monthly exposure increase is estimated at $748,917.
Duplicate copies amplify the remediation scope
1,526 duplicate copies of privacy data were identified — the single largest quick-win opportunity at $263,912 in direct risk reduction and ~$13.72M extrapolated. Deduplication alone can significantly reduce both risk and review effort.
What a 1.9% sample revealed about the full estate
The Data & More assessment covered 22 mailboxes, 22 OneDrives, and 5 SharePoint site collections — delivering quantified risk findings across privacy data, security data, file types, and AI readiness.
Before Copilot can be deployed, 96% of users need to remediate their data.
Microsoft Copilot surfaces data from wherever it exists in M365. That means unclassified privacy data, plain-text passwords, and duplicate documents all become accessible to AI — creating compliance and security risk at the point of AI adoption. The assessment quantifies exactly what needs to be resolved before deployment can proceed responsibly.
Travel and health data account for more than half of all privacy risk
Both categories are directly tied to oil & gas field operations — crew travel, accommodation logistics, and health & safety compliance records. Together they represent 57% of total privacy data found.
Oil & gas context: Health info at 23% is notably higher than most sectors — consistent with safety compliance requirements (WHMIS, physical assessments, drug & alcohol testing) that generate health-sensitive records across field and office operations.
Exchange Online carries 99% of risk — age concentration is recent
The 1–3 year age bucket carries the highest risk, suggesting a surge in data accumulation during 2022–2024. Unlike the legacy-heavy profiles seen in other sectors, this risk is relatively young and growing.
Four targeted actions.
$503K in direct impact. ~$26M extrapolated.
Each quick win targets a specific data workflow and delivers measurable risk reduction — in weeks, not months. The extrapolated figures show the potential impact when the same policies are applied across the full M365 estate.
From data liability to AI-ready estate.
The assessment gives the group a complete, evidence-based picture of its data posture across all 8 entities — and a prioritised path that clears the way for Microsoft Copilot deployment while reducing the regulatory and security exposure embedded in everyday workflows.
A defined path to Copilot readiness
With a clear remediation scope (2,882 privacy items + 1,035 security items across 96% of users), the group now has a specific, bounded programme to complete before AI deployment — rather than an open-ended risk.
SOC 2 Type 2 compliance alignment
The assessment maps directly to multiple SOC 2 control sections (C1, C4, C7, C8, C9, D) — providing the data classification and governance evidence base needed for audit-ready compliance across the multi-entity group structure.
Full data inventory across all M365 systems
For the first time, the group has a quantified view of what sensitive data exists in its M365 environment, what it’s worth to an attacker, and which specific workflows are generating the most exposure.
Security data remediation alongside privacy
Beyond privacy risk, the assessment identified 1,035 security data items — including plain-text passwords and credential data. Addressing these reduces the attack surface available to a compromised account before the group scales further with Copilot.
Get privacy data out of email. Focus on travel and recruiting workflows. Pick something and get started — progress over perfection creates quick wins you can build on.
Every organization’s data tells a story.
Find out what yours says.
A Data & More assessment takes weeks, not months — and gives your team the complete picture needed to act with confidence.