The research exposed critical privacy vulnerabilities in Quantum Machine Learning (QML) models, demonstrating that attackers could infer membership of training data with up to 90.2% accuracy in simulations and 75.3% on real quantum hardware via Membership Inference Attacks (MIA). This reveals a systemic risk where sensitive data—such as patterns in datasets like MNIST—could be reverse-engineered, compromising confidentiality. While the team mitigated risks using quantum unlearning techniques (reducing MIA success to near 0% in simulations and 0.9–7.7% on hardware), the initial vulnerability highlights a fundamental flaw in QML’s data protection mechanisms, particularly in high-stakes domains like healthcare or finance where training data may include personally identifiable or proprietary information. The attack vector exploits quantum circuit intermediate outputs (predictions, losses), enabling reconstruction of training data subsets. Though unlearning was effective, the pre-mitigation exposure poses a severe threat to organizations adopting QML without robust privacy safeguards, risking regulatory non-compliance (e.g., GDPR) and intellectual property theft if adversaries exploit these leaks.
TPRM report: https://www.rankiteo.com/company/quantum-systems-accelerator
"id": "qua2164521091025",
"linkid": "quantum-systems-accelerator",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['Artificial Intelligence',
'Quantum Computing',
'Data Privacy'],
'name': 'Quantum Machine Learning Research Community',
'type': 'Academic/Research Sector'},
{'industry': ['AI/ML',
'Quantum Computing',
'Cybersecurity'],
'location': 'Global',
'name': 'Organizations Experimenting with QML Models',
'type': ['Private Companies',
'Government Labs',
'Startups']}],
'attack_vector': ['Membership Inference Attack (MIA)',
'Training Data Reconstruction'],
'customer_advisories': ['Organizations using QML should assume training data '
'may be inferable without unlearning.',
'Early adopters of QML should implement unlearning '
'mechanisms before production deployment.',
'Sensitive applications (e.g., biomedical QML) '
'require rigorous privacy assessments.'],
'data_breach': {'data_exfiltration': ['Theoretical (No Actual Exfiltration '
'Reported)'],
'personally_identifiable_information': ['Potential (If '
'Training Data '
'Included PII)'],
'sensitivity_of_data': ['Moderate (Dependent on Training '
'Dataset Sensitivity)'],
'type_of_data_compromised': ['Training Data Membership Status',
'Potential Partial Data '
'Reconstruction']},
'description': 'Researchers Junjian Su, Runze He, Guanghui Li, and colleagues '
'demonstrated that Quantum Machine Learning (QML) models are '
'susceptible to Membership Inference Attacks (MIA), revealing '
'training data membership with high accuracy (90.2% in '
'simulations, 75.3% on real quantum hardware). The study '
'highlights critical privacy risks in QML and introduces '
"'machine unlearning' techniques to mitigate data leakage "
'while preserving model accuracy. Experiments on the MNIST '
'dataset showed that unlearning methods reduced MIA success '
'rates to 0% in simulations and 0.9%–7.7% on real hardware, '
'paving the way for privacy-preserving QML systems.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in QML '
'Technologies',
'Highlighted Need for Privacy '
'Safeguards'],
'data_compromised': ['Training Data Membership Information',
'Potential Sensitive Data Reconstruction'],
'identity_theft_risk': ['Low (Theoretical Risk of Training Data '
'Reconstruction)'],
'legal_liabilities': ['Potential Non-Compliance with Data Privacy '
'Regulations (e.g., GDPR) if Deployed '
'Without Mitigations'],
'systems_affected': ['Quantum Machine Learning Models (Simulated & '
'Real Hardware)',
'MNIST Digit Classification Task']},
'investigation_status': 'Completed (Academic Research)',
'lessons_learned': ['QML models are vulnerable to membership inference '
'attacks, similar to classical ML.',
'Machine unlearning is feasible in quantum systems but '
'requires adaptation of classical techniques.',
'Privacy-preserving QML requires balancing unlearning '
'efficacy with model accuracy.',
'Current QML hardware limitations (noise, qubit count) '
'affect both attack success and mitigation effectiveness.',
'Hybrid quantum-classical approaches may offer robust '
'privacy solutions.'],
'motivation': ['Academic Research',
'Privacy Risk Awareness',
'Development of Mitigation Techniques'],
'post_incident_analysis': {'corrective_actions': ['Standardized quantum '
'unlearning protocols for '
'high-risk applications.',
'Development of quantum '
'differential privacy '
'methods.',
'Hardware-level privacy '
'enhancements (e.g., '
'noise-resistant '
'unlearning).',
'Cross-disciplinary '
'collaboration between '
'quantum physicists and '
'privacy researchers.'],
'root_causes': ['Inherent memorization properties '
'of QML models during training.',
'Lack of privacy-by-design '
'principles in early QML '
'development.',
'Quantum hardware noise enabling '
'side-channel information leakage.',
'Classical-to-quantum adaptation '
'gaps in privacy techniques.']},
'recommendations': ['Integrate machine unlearning into QML pipelines as a '
'standard privacy safeguard.',
'Develop quantum-specific privacy metrics and evaluation '
'frameworks.',
'Prioritize research on scalable unlearning for complex '
'QML models.',
'Explore differential privacy and federated learning '
'adaptations for QML.',
'Establish guidelines for responsible QML deployment in '
'sensitive domains (e.g., healthcare, finance).'],
'references': [{'source': 'Research Paper by Junjian Su, Runze He, Guanghui '
'Li, et al.'},
{'source': 'MNIST Dataset Experiments on QML Privacy '
'Vulnerabilities'}],
'regulatory_compliance': {'regulatory_notifications': ['Implications for '
'GDPR/CCPA Compliance '
'in QML Deployments']},
'response': {'communication_strategy': ['Publication in Academic Journals',
'Presentation at Quantum Computing '
'Conferences'],
'enhanced_monitoring': ['Proposed Future Work on '
'Privacy-Preserving QML'],
'remediation_measures': ['Development of Quantum Machine '
'Unlearning (MU) Techniques',
'Implementation of Three MU Methods '
'(Optimization-Based, Parameter '
'Importance Evaluation, Hybrid)',
'Reduction of MIA Success Rates to '
'Near-Zero in Simulations (0%) and Real '
'Hardware (0.9%–7.7%)']},
'stakeholder_advisories': ['Quantum computing hardware providers (e.g., IBM, '
'Google, IonQ) should collaborate on '
'privacy-enhancing features.',
'AI ethics boards should include QML-specific '
'privacy risks in their frameworks.',
'Funding agencies should prioritize '
'privacy-preserving quantum algorithms.'],
'threat_actor': ['Academic Researchers (Ethical Disclosure)',
'Potential Malicious Actors Exploiting QML Weaknesses'],
'title': 'Privacy Vulnerabilities in Quantum Machine Learning (QML) Models '
'Exposed via Membership Inference Attacks',
'type': ['Privacy Breach',
'Data Leakage',
'Research Vulnerability Disclosure'],
'vulnerability_exploited': ['Quantum Model Memorization of Training Data',
'Lack of Privacy-Preserving Mechanisms in QML',
'Intermediate Data Leakage (Predictions, Losses)']}