Microsoft admits to data exposure

Microsoft has admitted in a blog post, that last month, certain customer data may have accidentally been exposed to the public. Specifically, this data was from an internal customer support database used for Microsoft support case analytics.

That said, most of the personal data kept on said database had been redacted through the use of automated tools. Only in some cases, where information did not meet standard formatting such as an email address separated by spaces, would not have been redacted.

Investigation into the issue found no malicious use of said data, and most customers did not have their personally identifiable information exposed. Also, this issue did not affect customers of Microsoft’s commercial cloud services.

The software giant says that the vulnerability was due to misconfigured security rules initiated by the database’s network security group on December 5, 2019. However, the problem only came to company’s attention some time later.

On December 31, 2019, Microsoft’s engineers managed to make the necessary changes to prevent unauthorized access to customer data. In addition to this, it is also taking measures to prevent future occurrences of this issue. This entails:

• Auditing the established network security rules for internal resources.
• Expanding the scope of the mechanisms that detect security rule misconfigurations.
• Adding additional alerting to service teams when security rule misconfigurations are detected.
• Implementing additional redaction automation.

Microsoft was apologetic about the issue but stated such problems do occur in the industry. But it is taking the issue seriously and will work harder to prevent such a mistake from happening in the future.

Sources:
Microsoft Security Response Centre
ZDNet.com