Nth data leak in one of the great technology companies on the planet. However, this time the response to this has been anything but convincing. The facts were revealed by the security firm SOCRadar, and the victim or the culprit of such a leak? Microsoft.
According to SOCRadar, Microsoft has had a security error that has exposed 2.4 terabytes of data with information between 2017 and August of this year. This information has been very varied: from signed contracts, invoices, contact information, emails, product orders and offers, service execution tests… in short personally identifiable information and intellectual property of at least 65,000 current customers.
The security firm insists that it found all that information exposed in a single data bucket as Results of a misconfigured Azure Blob storage. Or what is the same, Microsoft’s object storage solution for the cloud and optimized to store large amounts of unstructured data.
Microsoft has been quick to step forward to deny such information, assuring that SOCRadar “greatly exaggerated the scope of this problem” as some of the exposed data included “duplicate information, with multiple references to the same emails, projects and users” . And he excused himself stating that “the problem was caused by an inadvertent misconfiguration on an endpoint that is not in use throughout the Microsoft ecosystem” so “was not the result of a security vulnerability.”
The miscommunication of the fact itself by Microsoft
Upon learning of this security error, one of Microsoft’s customers contacted the company demanding explanations. And with the desire to know what specific data of your company had been affected. The big tech’s response was not entirely satisfactory to the customer: “We are unable to provide affected data specific to this issue,” according to a Microsoft support engineer.
What is objectionable, according to SOCRadar and those affected, is not only in said leak or security error, but how the company notified those affected -practically all companies-. To do this, he used the Message Center. This is an internal messaging system that Microsoft uses to communicate with administrators. Though, Not all administrators have the ability to access this tool, so it is likely that some notifications of said error have not been seen yet. A leak on Twitter about Microsoft’s response angered those affected. In it, the company stated that it was not required by law to reveal the origin of said lapse to the authorities.
However, things have gone further. Also on the social network Twitter, a computer researcher, Kevin Beaumont, revealed with different screenshots such as said data has been publicly accessible for months in Grayhat Warfare, a database that sweeps and stores exposed data in public buckets. This cached data included digitally signed contracts and purchase orders, among others. There was even mail information from the US government itself.
In addition to criticism of how Microsoft has admitted to the leak, this fact also raises questions about Microsoft’s data retention policies. Often, data that is years old is more useful to potential criminals than to the business who owns them. In cases like these, without a doubt, the best practice is to periodically destroy the data.
In case an organization has been affected in this exposure of private data, workers should be on the lookout for scamsphishing emails or other malicious techniques.
