Microsoft said misconfigured access rules on an internal customer database has exposed millions of customer data records.
The exposed database was used for Microsoft support case analytics. Microsoft discovered the issue early last month after an internal investigation.
“Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access,” Microsoft said in a blog post.
Microsoft also stated that most of its customers did not have personally identifiable information exposed. Furthermore, the company said the exposure did not impact its commercial cloud services.
Microsoft also confirmed “that the vast majority of records were cleared of personal information in accordance with our standard practices.” For example, best practices include redaction and removal of personal information using automed tools.
However, some records may not have been redacted if the data met specific conditions. For instance, emails that are stored in non-standard formats, such as an email with spaces instead of “XYZ@contoso.com”.
Paul Bischcoff of Comaritech also wrote that the incident exposed online 250 million personal data records.
“The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed,” Bischcoff added in a blog post.
Microsoft recommends organizations should periodically review database configurations and make sure they take advantage of all protections available.
You can also check out these related articles to secure configuration management: