Microsoft made headlines this week when it was discovered that nearly 250 million customer service and support records were exposed on the web through several unsecured cloud servers. The incident points to security weaknesses in the industry that still need fixing.

Bob Diachenko, a security researcher with Comparitech, first discovered the vulnerability and immediately alerted Microsoft to the exposed data. “The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019,” according to a blog post on Comparitech’s Website. “All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.”

In a Jan. 22 blog post, Microsoft said it’s taking the incident “very seriously” and holding itself accountable. An internal investigation found no malicious use, and most customers did not have personally identifiable information exposed.

Specifically, the investigation determined that a change made to the database’s network security group on Dec. 5, 2019, “contained misconfigured security rules that enabled exposure of the data,” and “this issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.”

As part of Microsoft’s standard operating procedures, data stored in the support case analytics database is redacted using automated tools to remove personal information. Microsoft’s investigation confirmed that most of the records were cleared of personal information in accordance with its standard practices.

Microsoft explained, however, in some scenarios, the data may have remained unredacted if it met specific conditions—for example, if the information is in a non-standard format, such as an e-mail address separated with spaces instead of written in a standard format (“XYZ @contoso com” versus “XYZ@contoso.com”).

The timing of the security lapse is notable. In November 2019, Microsoft announced it will honor the California Consumer Privacy Act throughout the United States, and it was the first company to extend the EU’s General Data Protection rights to customers around the world.

“This shows that even a forward-thinking company like Microsoft, who is unrelentingly dedicated to protecting their customers, can suffer a data breach due to misconfigurations,” says Chris DeRamus, chief technology officer and co-founder of DivvyCloud. “This illustrates that being compliant does not guarantee that you are secure, especially for companies that have adopted cloud and multi-cloud environments.”

Greg Wendt, executive director of Appsian, expresses similar concern. “In a time of increasing breaches, it’s still striking when a major tech vendor such as Microsoft inadvertently exposes such a huge amount of customer data,” he said. “It shows how challenging it is even for massive corporations to have a precise understanding of where data is stored and who can access it. Even after discovering the exposure, Microsoft can’t fully determine if the data was accessed by malicious actors.”

Wider industry threat

Security experts point to how widespread these vulnerabilities are across the industry. “This incident really speaks to repeated concerns around cloud misconfiguration,” says Raj Bakhru, chief innovation officer of the ACA Compliance Group. “We have seen numerous cases of breaches due to misconfigured Office365 and Amazon Web Services Storage (S3) settings, and this sounds like another.”

Vinay Sridhara, chief technology officer at cyber-security firm Balbix, describes how these attacks often occur: “There have been countless exposures of critical data over the past couple of years, all of which follow the same script: customer data gets uploaded to cloud server; well-meaning developer neglects to password protect or encrypt that externally exposed database; and then enters hacker or threat researcher stage,” he said. “It’s becoming clear that the growing complexity of securing IT assets is an enormous challenge, even for giants like Microsoft.”

Cloud security best practices

“Cloud security is a shared responsibility: The cloud service provides tools that clients need to leverage to properly secure their environment,” Bakhru says. “In many cases, firms have not appropriately locked down these environments, and attackers are actively scanning the cloud environments to identify these misconfigurations and steal data.”

“It shows how challenging it is even for massive corporations to have a precise understanding of where data is stored and who can access it. Even after discovering the exposure, Microsoft can’t fully determine if the data was accessed by malicious actors.” 

Greg Wendt, Executive Director, Appsian

Cyber-security is not just a concern for IT teams. It’s a compliance threat, as well. “The SEC and other regulators have recently highlighted this concern in some of their risk alerts, as well,” Bakhru says.

Sridhara advises that companies put procedures and systems in place that tighten their configuration process and use automation wherever possible. “Monitoring application and device settings and comparing these to recommended best practices reveals the threat for misconfigured devices located across your network and across all servers,” Sridhara says.

Wendt recommends similar measures. To prevent further inadvertent exposures, companies “must adopt dynamic security tools that can monitor user access in real time, providing transparency over what data is accessed and by whom,” he says. “This is the main reason why so many organizations are turning to a multi-layered approach that includes masking sensitive data, verifying identity via multi-factor authentication, and enhanced logging and analytics.”

“These capabilities are designed to prevent unauthorized data access, along with enabling organizations with the ability to identify access trends that may be indicative of incorrect access controls,” Wendt adds. “The enterprise must learn to have eyes and ears on their entire data ecosystem at all times.”

“The software-defined nature of the cloud leads to frequent changes, and it is important that organizations implement a continuous and automated cloud security strategy in order to detect and remediate threats such as misconfigurations and compliance violations in real-time,” DeRamus says. “Additionally, organizations must be cognizant of their cloud service providers’ storage access policies and use these policies to define access.”

Microsoft had to learn these security lessons the hard way. For its part, Microsoft said that it’s working to prevent future occurrences of this issue, including:

  • Auditing the established network security rules for internal resources;
  • Expanding the scope of the mechanisms that detect security rule misconfigurations;
  • Adding additional alerting to service teams when security rule misconfigurations are detected; and
  • Implementing additional redaction automation.

As Microsoft candidly stated: “Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake—but, unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”