Microsoft Left Red-Faced After Misconfiguration Exposes Data of 250 Mn Customers

In the latest incidents of data breaches, it is the global technology giant Microsoft which found itself in thick soup. The breach was brought to light by the Comparitech security research team led by Bob Diachenko. The team found that Microsoft exposed nearly 250 Mn Customer Service and Support (CSS) records on the web.

The company has now publicly admitted to this breach saying that it was because of  “misconfiguration of an internal customer support database” used for tracking support cases that included logs of conversations between Microsoft support agents and customers from all over the world.

These records had logs of conversations between Microsoft support agents and customers from all over the world from the past 14 years (from 2005 to 2019). On December 29, 2019, Comparitech security research team found that the data was left accessible to anyone with a web browser, with no password or other authentication needs.

Diachenko explained that most of the personally identifiable information “emails, contact numbers, and payment information” was redacted. However, many records contained plain text data, including, but not limited to, customer email addresses, IP addresses, locations, Microsoft support agent emails, case numbers, resolutions, and remarks and internal notes marked as “confidential”.

On the same day, Diachenko notified Microsoft upon discovering the exposed data. Over the next two days, Microsoft secured the servers and data. Post this, Diachenko and Microsoft continued the investigation and remediation process.

On January 21, 2020, Microsoft disclosed additional details about the exposure as a result of the investigation. Ann Johnson, corporate vice president, Cybersecurity Solutions Group at Microsoft said that the investigation found no malicious use. “Although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and hold ourselves accountable,” he added in the statement.

Microsoft’s investigation determined that a change made to the database’s network security group on December 5, 2019, contained misconfigured security rules that enabled exposure of the data.

According to the company, its engineers remediated the configuration on December 31, 2019, to restrict the database and prevent unauthorised access. “This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services,” the company added.

This security breach is the latest in the book of troubles for Microsoft. The company is already facing ire for Internet Explorer zero-day vulnerability which it hasn’t issued a patch for, despite it being actively exploited. Further, the US government recently issued a critical Windows 10 update alert concerning the “extraordinarily serious” curveball crypto vulnerability.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.