Config flub by Microsoft exposed millions of customer details

By on
Config flub by Microsoft exposed millions of customer details

Nearly 250 million records visible on the web.

Microsoft has acknowledged that it left hundreds of millions of customer support records exposed for most of December last year, having failed to apply appropriate security controls for a database.

Security vendor Comparitech researcher Bob Diachenko found the open database, which had been left exposed from December 5 to December 31 United States time, when Microsoft engineers secured it.

Diachenko said he found a set of five unsecured Elasticsearch databases on December 7.

Each stored an identical database that contains nearly 250 million customer service and support records.

The data could be accessed by anyone with a web browser, no password or other authentication required.

Apart from email and internet protocol address, the records contained case numbers and logs of conversations between Microsoft support agents and customers worldwide, from 2005 to December last year. 

Diachenko believes the data was only exposed for two days until he reported the leak to Microsoft.

While Microsoft said there is no evidence of malicious access to what it says is an internal database, it was indexed by information storage security company BinaryEdge.

Comparitech suggested that the data could have been valuable to tech support scammers impersonating Microsoft, to defraud customers.

Microsoft thanked Diachenko, and said it wanted to be transparent with customers and reassure them that it is taking the incident very seriously and holding themselves accountable.

"Misconfigurations are unfortunately a common error across the industry.

We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database.

As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available," Microsoft top infosec executives Ann Johnson and Eric Doerr wrote in the company's mea culpa.

No personally indentifiable information was exposed, Microsoft said. 

Microsoft's standard operating procedures automatically remove personal information in support case analytics databases, but in some cases this had not worked.

If customer data was entered in a non-standard format, such as email addresses with spaces, they may have been left un-redacted, Microsoft said.

The company has started notifying customers whose details were in the exposed database, and tightened up security procedures to prevent future leaks.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
microsoft privacy security

Sponsored Whitepapers

Empowering workforces in the new environment
Empowering workforces in the new environment
Is the technology refresh dead?
Is the technology refresh dead?
DevSecOps: A framework for digital innovation
DevSecOps: A framework for digital innovation
Encryption: Protect your most critical data
Encryption: Protect your most critical data
Overcoming data security challenges in a hybrid, multicloud world
Overcoming data security challenges in a hybrid, multicloud world

Events

Most Read Articles

Aussie Broadband says some customers are switching providers to get high-speed NBN discounts

Aussie Broadband says some customers are switching providers to get high-speed NBN discounts
Aussie Broadband to white label its services

Aussie Broadband to white label its services
Swinburne University data breach exposes details of 5000 staff, students

Swinburne University data breach exposes details of 5000 staff, students
CBA's digital benefits finder unlocks $481 million for customers

CBA's digital benefits finder unlocks $481 million for customers
You must be a registered member of iTnews to post a comment.
| Register

Log In

Username / Email:
Password:
  |  Forgot your password?