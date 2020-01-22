Share the joy















Microsoft’s problems continue. A new report disclosed Microsoft data breach that exposed 250 million customer records of the company. The breach happened in December 2019.

Microsoft Data Breach Involving Internal Customer Support Database

The company stated in a blog post that its internal customer support database that stored anonymized user analytics was exposed online without proper protection.

Bob Diachenko of Security Discovery reported the database exposure to Microsoft. The company concluded its investigation and stated that it did not find any malicious use.

In a blog post, Microsoft said:

“Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.”

Diachenko stated that the company secured the database on the same day he notified the OS maker of the issue. The affected servers have 250 million entries with details including IP address, email address and support case information. The majority of the records did not include personal user information, though.

Indeed, the data exposed did not contain sensitive information, like credit card details, dates of birth and email aliases. However, the data bared could still be utilized by scammers.

They can use the information to be more persuasive when they would call random people. These scammers can easily declare that they work at Microsoft. Since the data breach included actual case numbers, scammers can use them to mention the numbers to convince their victims.

Protecting Yourself

As stated, Microsoft did not find proof of any malicious use of the breached data. Furthermore, the details on the database are not that sensitive.

Diachenko saw the database after a search engine indexed it on December 28. He is not sure if anyone else saw it.

Despite that, it is still vital that you should be careful about tech support scams and email phishing scams.

This recent data breach is another indication that it is difficult to manage data and store them correctly. The European data protection agencies were interested in how the company collects data from its users. We can expect them to further investigate this matter with a view to GDPR penalties.

The company said that it started notifying the customers whose data were in the redacted database. Microsoft said that it is auditing its network security rules for internal resources. It is also adding more alerts to support teams each time a security rule misconfiguration is detected.

Common Error

Microsoft admitted that misconfigurations are a common error in the industry. Although it has solutions in preventing this error, the solutions were not enabled for the affected database.

“As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

The company apologized for this latest Microsoft data breach. But is that enough? Experts want the government to start an investigation on these data breaches that can be easily prevented.

Photo Source: Image by Csaba Nagy from Pixabay

