Config flub by Microsoft exposed millions of customer details

By on
Config flub by Microsoft exposed millions of customer details

Nearly 250 million records visible on the web.

Microsoft has acknowledged that it left hundreds of millions of customer support records exposed for most of December last year, having failed to apply appropriate security controls for a database.

Security vendor Comparitech researcher Bob Diachenko found the open database, which had been left exposed from December 5 to December 31 United States time, when Microsoft engineers secured it.

Diachenko said he found a set of five unsecured Elasticsearch databases on December 7.

Each stored an identical database that contains nearly 250 million customer service and support records.

The data could be accessed by anyone with a web browser, no password or other authentication required.

Apart from email and internet protocol address, the records contained case numbers and logs of conversations between Microsoft support agents and customers worldwide, from 2005 to December last year. 

Diachenko believes the data was only exposed for two days until he reported the leak to Microsoft.

While Microsoft said there is no evidence of malicious access to what it says is an internal database, it was indexed by information storage security company BinaryEdge.

Comparitech suggested that the data could have been valuable to tech support scammers impersonating Microsoft, to defraud customers.

Microsoft thanked Diachenko, and said it wanted to be transparent with customers and reassure them that it is taking the incident very seriously and holding themselves accountable.

"Misconfigurations are unfortunately a common error across the industry.

We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database.

As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available," Microsoft top infosec executives Ann Johnson and Eric Doerr wrote in the company's mea culpa.

No personally indentifiable information was exposed, Microsoft said. 

Microsoft's standard operating procedures automatically remove personal information in support case analytics databases, but in some cases this had not worked.

If customer data was entered in a non-standard format, such as email addresses with spaces, they may have been left un-redacted, Microsoft said.

The company has started notifying customers whose details were in the exposed database, and tightened up security procedures to prevent future leaks.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
microsoft privacy security

Sponsored Whitepapers

IBM Maximo: Manage any asset, anytime, any place with mobile EAM
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
Optimise your operations with APM and AI-Powered insights
Optimise your operations with APM and AI-Powered insights
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Technology skill development: The strategy for building better teams
Technology skill development: The strategy for building better teams
Find unhappy users before they complain
Find unhappy users before they complain

Events

Most Read Articles

Services Australia shifts most Centrelink payments to SAP S/4 HANA

Services Australia shifts most Centrelink payments to SAP S/4 HANA
ACCC clears 5G as a substitute for fixed-line broadband

ACCC clears 5G as a substitute for fixed-line broadband
Service NSW to hire 200 engineers, designers

Service NSW to hire 200 engineers, designers
ANZ sets itself up for a new workforce transformation

ANZ sets itself up for a new workforce transformation

Log In

Email:
Password:
  |  Forgot your password?