17 January 2020
Around 250 million customer service and support records online got accidentally exposed in December last year. The leaked data included conversations between Microsoft support agents and customers which were recorded from 2005 to December 2019, spanning a 14-year period.
The security breach was uncovered by the Comparitech security research team lead by Bob Diachenko. According to the researcher, the data was left accessible to just anyone with a web browser. According to the findings, the database consisted of a cluster of five Elasticsearch servers, technology used to simplify search operations. All these five servers stored the same data, appearing to be mirrors of each other.
Diachenko shared the list of data that might have been exposed due to this breach. This includes customer email addresses, IP addresses, locations, description of CSS claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks; and internal notes marked as “confidential.”
This data was reportedly exposed for about two days before the team alerted Microsoft about the breach. Diachenko said that he immediately reported this to Microsoft and fortunately, the company was quick to take action and acknowledge the breach ultimately.
In the blog post, while holding itself accountable, Microsoft claimed that it “found no malicious use.” Also, “most customers did not have personally identifiable information exposed,” but it wants to be transparent about the incident. Microsoft further assured that it is taking this breach very seriously.
Diachenko, on the other hand, has said that the “dangers of this exposure should not be underestimated.” The report on Comparitech claims,
“With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets. If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number.”
Microsoft mentions that its investigation has determined that the breach happened due to misconfigured security rules. “Upon notification of the issue, engineers remediated the configuration on December 31, 2019, to restrict the database and prevent unauthorized access.” Microsoft also said, “this issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.”
Microsoft claims that these misconfigured Azure security rules have now been fixed. Showing serious concern towards the unnoticed data loss, Microsoft further shared what necessary actions it is now taking to also prevent future occurrences of this issue.
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation