Microsoft had a recent issue where data of some of their customers were left exposed to the internet for anyone who knew where to look.
Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services.
The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner.
Microsoft has concluded that the issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability. Microsoft is working to improve their processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints.
Despite appreciating SOCRadar informing them about the misconfigured endpoint, they did express unhappiness about how the security company went about the release.
They note that SOCRadar has greatly exaggerated the scope of this issue and that their in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users and that SOCRadar did not correct their account even after Microsft highlighted their error.
Microsoft also expressed disappointment that SOCRadar has chosen to release publicly a “search tool” that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.
They note that any security company that wants to provide a similar tool should follow basic measures to enable data protection and privacy:
- to implement a reasonable verification system to ensure that a user is who it purports to be;
- to follow data minimization principles by scoping the results delivered solely to information pertaining to that verified user only;
- where that company is not in a position to determine with reasonable fidelity which customers had affected data, to not then surface to a given user information (including metadata/filenames) that may belong to another customer.
Microsoft says they have focused their attention on directly notifying impacted customers and providing them with instructions for contacting Microsoft with questions or concerns. Microsoft notes that if customers did not receive a Message Center communication, the investigation did not identify an impact to them.
Microsoft says upon being notified of the misconfiguration, the endpoint was quickly secured and is now only accessible with the required authentication. Their investigation ultimately found no indication customer accounts or systems were compromised.