While you and I are working to prepare our organizations for 2020, Microsoft’s security teams are doing something else. That’s because yesterday the company announced it has been working overtime since last month to close a network security group vulnerability that could potentially expose 250 million customer service and support records.
On December 29th, 2019, Comparitech and security researcher Bob Diachenko found that a change made to Microsoft’s customer support database’s network security group contained misconfigured security rules that enabled improper personal data exposure.
While the issue was remedied two days after its discovery and the company claims it found no evidence of ‘malicious use,’ some customers are still expected to experience the leak of their personally identifiable information – including support team conversation logs stored on Microsoft’s server dating all the way back to 2005.
Since resolving this security gap, Microsoft has stated that the ‘vast majority’ of personal data exposed has been redacted. But Comparitech believes there’s still much work to be done. Information such as email and IP addresses, for example, were stored on the server in plain text – meaning if someone accessed the affected logs they could have easily stolen this information to impersonate official support staff in future phishing efforts.
This Isn’t Microsoft’s First Mistake…
If this story sounds vaguely familiar, that’s because this isn’t the first time Microsoft has experienced a major breach. Last April, the company’s managed web email services – MSN and Hotmail to name a few – were found to have a ‘limited subset of consumer accounts’ compromised.
Hackers were able potentially able to access affected users’ email addresses, folder names, email subject lines, and contacts between January 1st and March 28th of last year. But, according to Microsoft, vulnerabilities stopped short of exposing crucial information like email content, attachments, or login credentials/passwords.
As a result of this vulnerability, Microsoft is making changes to strengthen its security measures moving forward. In addition to auditing its internal rules, the organization is implementing additional tools that will help it automatically redact sensitive customer information.
As this is the second major data security incident to occur in less than a year, Microsoft is also creating new and more expansive alerting mechanisms to better notify service teams should a vulnerability or misconfiguration surface in the future.
If you’re searching for the best way to protect your data, the most effective approach starts with improving your knowledge. Explore AOTMP® University’s Efficiency First® Framework: Security Core Activity now to build your better data security solution!