Microsoft confessed about the data breaching in the internal customer support database which exposed 250 million customer service records. The database is used for tracking support cases and involves the conversations between support agents of Microsoft and customers from around the world. All these customer data was available to anyone who has a browser and did not need any authentication or passwords.
According to Ann Johnson, the Vice President, Cyber Security solutions group, Microsoft, “ While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and hold ourselves accountable”.
It was found in the investigation by Microsoft that the exposure of this data was due to the change in the network security database which was introduced on December 5th 2019 and contained misconfigured security rules.
“This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services”, said Microsoft. They also said that the engineers had remediated the configuration and all unauthorised access ha been prevented by restricting the database on 31st December 2019.
The issue was first reported by Bob Diachenko and Microsoft later thanked him for helping fix the issue. “We want to sincerely apologise and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence,” said Microsoft.
“I immediately reported this to Microsoft and within 24 hours all servers were secured. I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.” Says Diachenko.
Although the company said that there is nothing to worry about, the records included details like the email address of customers, IP addresses, locations, Microsoft support agents emails etc. along with internal notes marked ‘confidential’.
The researchers say that the scammers, if they have attained the data before the issue was fixed, then they could use it to exploit or impersonate a real Microsoft employee.
“Microsoft customers and Windows users should be on the lookout for such scams via phone and email. Remember that Microsoft never proactively reaches out to users to solve their tech problems” the security team said.
This was not the first time Microsoft lost data security. Similar issues had happened in 2013 and in the beginning of 2019. Hackers compromised the account of a support agent to access contents from some user.