[BreachExchange] Microsoft Security Shocker As 250 Million Customer Records Exposed Online

[Destry Winant]

https://www.forbes.com/sites/daveywinder/2020/01/22/microsoft-security-shocker-as-250-million-customer-records-exposed-online/#514ce91a4d1b

A new report reveals that 250 million Microsoft customer records,
spanning 14 years, have been exposed online without password
protection.

Microsoft has been in the news for, mostly, the wrong reasons
recently. There is the Internet Explorer zero-day vulnerability that
Microsoft hasn't issued a patch for, despite it being actively
exploited. That came just days after the U.S. Government issued a
critical Windows 10 update now alert concerning the "extraordinarily
serious" curveball crypto vulnerability. Now a newly published report,
has revealed that 250 million Microsoft customer records, spanning an
incredible 14 years in all, have been exposed online in a database
with no password protection.

What Microsoft customer records were exposed online, and where did
they come from?

Paul Bischoff, a privacy advocate and editor at Comparitech, has
revealed how an investigation by the Comparitech security research
team uncovered no less than five servers containing the same set of
250 million records. Those records were customer service and support
logs detailing conversations between Microsoft support agents and
customers from across the world. Incredibly, the unsecured
Elasticsearch servers contained records spanning a period from 2005
right through to December 2019. When I say unsecured, I mean that the
data was accessible to anyone with a web browser who stumbled across
the databases: no authentication at all was required to access them,
according to the Comparitech report.

The nature of the data appears to be that much of the personally
identifiable information was redacted. However, the researchers say
that many contained plain text data including customer email
addresses, IP addresses, geographical locations, descriptions of the
customer service and support claims and cases, Microsoft support agent
emails, case numbers and resolutions, and internal notes that had been
marked as confidential. This may seem like no big deal in the overall
scheme of things, but when you consider that Microsoft support scams
are pretty rampant, it doesn't take a genius to work out how valuable
such information would be to the fraudsters carrying out such attacks.

How was the Microsoft data exposure discovered, and how long did it
take to lock down?

Today In: Innovation

On December 28, 2019, the databases in question were discovered and
indexed by threat intelligence search engine BinaryEdge. The following
day, Bob Diachenko, who headed up the Comparitech security research
team, spotted them and notified Microsoft. "I immediately reported
this to Microsoft, and within 24 hours, all servers were secured,"
Diachenko said. Considering the time of year, this was a remarkably
quick response. That said, it was also a remarkably serious leak.

Eric Doerr, general manager at the Microsoft Security Response Center,
said: "We’re thankful to Bob Diachenko for working closely with us so
that we were able to quickly fix this misconfiguration, analyze data,
and notify customers as appropriate."


It's not known at this point if the databases were accessed by any
else during the time that they were exposed online.

In a Microsoft Security Response Center posting dated January 22,
Microsoft said that "the investigation found no malicious use, and
although most customers did not have personally identifiable
information exposed, we want to be transparent about this incident
with all customers and reassure them that we are taking it very
seriously and holding ourselves accountable."

That posting also confirmed that the exposure of the database started
on December 5, 2019, as the result of misconfigured security rules,
and was remediated on December 31. The statement included an apology
from Microsoft: "We want to sincerely apologize and reassure our
customers that we are taking it seriously and working diligently to
learn and take action to prevent any future reoccurrence."

It’s time for governments to start dropping the hammer on very
preventable data breaches

I asked Ian Thornton-Trump, CISO at Cyjax and co-host of the
BeerConOne virtual security conference, for his thoughts about this
incident. "This is massive, and not unexpected to be honest," he said,
"it just shows how difficult it is for anyone, even a giant tech
company, to manage data and storage correctly."

Given that there has already been interest from European data
protection agencies regarding how Microsoft collects data from Windows
10 users, it wouldn't surprise me if there are now further
investigations with a view to EU General Data Protection Regulation
(GDPR) penalties. "It kind of demoralizes my soul when even the vendor
can’t seem to get it right," Thornton-Trump says, "and why the vendor
is storing such ancient records in the first place? I think it’s time
for governments to start dropping the hammer on these very preventable
data breaches."

What positives can other organizations take away from this incident?

It’s known that this exposure came about as a result of misconfigured
security rules on the server holding the Microsoft customer services
and support data. The question is, then, how can other organizations
avoid finding themselves in a similar sticky security situation? "It's
a common mistake in any environment where data is stored," Bischoff
says, "security groups set firewall rules that decide who can access
what from where (or what device)." However, all of those aspects need
to be audited on a regular basis, "to ensure security groups work as
intended," according to Bischoff. If they don't, then Bischoff advises
that there should be some mechanism in place that detects
misconfigurations. "If a misconfiguration is detected," he says,
"security staff should be notified immediately so it can be remedied."