- Microsoft left a database holding support case analytics of 250 million customers exposed from Dec. 5, 2019 until remediation on Dec. 31, according to the company's disclosure Wednesday and research from Comparitech.
- Bob Diachenko, head of Comparitech's security research, found the open servers on Dec. 29 and notified Microsoft. The software company found misconfigured security rules, and while the company has "solutions" in place to prevent human error, "they were not enabled for this database."
- The records date back to 2005, but personally identifiable information (PII) was redacted in most cases. Exposed records included email addresses, IP addresses, locations, CSS claims and cases, and "confidential" internal notes. Microsoft is notifying customers, but the type of impacted customers is unknown.
While Microsoft's investigation concluded on Wednesday, the company secured the exposed database within 24 hours of Diachenko's discovery.
Speed of recovery is an essential piece to data breaches and how potential privacy fines are calculated. Microsoft, which has extended rights from the General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA) to all its customers, is sitting in a potential privacy conundrum.
The breach occurred before CCPA's Jan. 1 enactment. "The penalty could have been in the billions if this breach had occurred after Dec 31, 2019," said Pravin Kothari, CEO of CipherCloud, in an emailed statement to CIO Dive. The CCPA can levy a fine up to $750 per individual harmed by a breach.
Privacy-related fines are secondary to the immediate impact customers might feel following a breach. "Customers don't have any control over data leaks such as this," Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, told CIO Dive in an email.
As the exposed database was hosted on Microsoft Azure, it's advisable for cloud customers to "change passwords for all associated email addresses, and not open emails looking to be from Microsoft support," she said. "If you receive phone calls from Microsoft support, don’t provide any information."
Microsoft's database didn't require a password or authentication while it was exposed, a lesson to learn for organizations with access-centric security models need to transition to data-centric, said Kothari.
When Quest Diagnostics and LabCorp experienced a supply chain data breach, experts feared socially engineered cyberattacks as a result. Attackers could pose an email as lab results, pretending to be a medical provider.
The same is true for tech support. Comparitech said bad actors could "impersonate Microsoft staff" as the company is "the most popular operating system in the world."