Microsoft disclosed a security breach caused by a misconfigured internal customer support database that led to the accidental exposure of roughly 250 million customer support and service records, some of them containing personally identifiable information.
"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data," Microsoft said in a blog post published today.
"Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access."
Most records automatically anonymized
Microsoft didn't get into details such as the number of records exposed, the type of database that was left unprotected, or the type of personal information that was left in the open, only that data in the support case analytics database was "redacted using automated tools to remove personal information."
While most of the records stored within the heavily-redacted internal customer support database used for support case analytics did not contain personal information, some non-standard PII wasn't anonymized.
For instance, email addresses separated with spaces like 'username @ domain.com' instead of 'username@domain.com' were left untouched by Microsoft's automated PII redaction tools.
We're committed to the privacy & security of our customers and want to be transparent about the misconfiguration of a heavily-redacted internal customer support database used for support case analytics that was exposed to the internet for a matter of days. https://t.co/cMDzrIfA0k
— Security Response (@msftsecresponse) January 22, 2020
However, Security Discovery's Cyber Threat Intelligence Director Bob Diachenko, the researcher who reported the exposed data to Microsoft was able to tell BleepingComputer that the 250 million customer support and service records were stored on five identical ElasticSearch clusters.
The records contained "contained chats, cases descriptions - everything you can imagine being part of MS CSS daily routine," he added. Diachenko also confirmed that "most of the data had PII redacted automatically" in the exposed database.
As he also revealed in a report published in collaboration with Comparitech, the records that weren't properly anonymized exposed customer email addresses, IP addresses, locations, CSS claims and case descriptions, Microsoft support agent emails, and internal notes marked as "confidential."
Diachenko also shared that Microsoft's support team secured the databases on December 30, a day after the report he sent on December 29.
Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve. https://t.co/PPLRx9X0h4
— Bob Diachenko (@MayhemDayOne) January 22, 2020
Microsoft also shared in their disclosure that the company is taking measures to prevent future incidents involving customer data.
As the blog post says, Microsoft will start:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now