Comparitech security firm reported a major data breach at Microsoft that exposed 250 million customer records over a period of a couple of days. Microsoft said the leaked data, which did not include personally identifiable information, was not used maliciously.
The Comparitech team, led by security researcher Bob Diachenko, uncovered five Elastic Search servers which contained five apparently identical sets of records.
The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.
Most of the personally identifiable information, such as contract numbers, payment information, etc., were redacted, but some of that was still available in plain text files. Microsoft confirmed that, complying with their standard operating procedure, personal information had been removed using automated tooling. They also clarified under which conditions data may have been left unredacted:
An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, “XYZ @contoso com” vs “XYZ@contoso.com”).
Microsoft's investigation over what caused the data breach led to a configuration change to the database’s network security group, including the configuration of wrong security rules. This made the data publicly discoverable and, at the end of December, search engine BinaryEdge indexed Microsoft databases. BinaryEdge specializes in scanning the Internet to determine to which extent private assets are inadvertently exposed.
Diachenko recognized Microsoft was quick to secure the data in a Tweet:
Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite this occurrig on New Year’s Eve.
He also remarked that "misconfiguration happen -- no matter how big or secured a company is".
Worrisome as it may appear, this breach is only the last in a long and growing series of data breaches that exposed almost 8 billion records in 2019 only, according to Blockchain startup SelfKey:
AT LEAST 7.9 billion records, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed through data breaches in 2019.
This obviously raises the question of how secure our personal data is in the hands of Internet companies.
Indeed, quite a number of comments on Hacker News hinted at the absence of legal consequences for this kind of misbehaviour, whether intentional or not. This is true of the World at large with the notable exception of the European Union, where the recent GDPR regulation promises to protect customer rights from personal data mishandling. According to GDPR, a company could be fined for up to 4% of its global annual turnover. It is not known yet whether EU GDPR regulators are investigating Microsoft data breach, but all EU-based customers may contact Microsoft Data Protection Officer to reclaim more detailed information about their data.
Other developers on Hacker News pointed to ElasticSearch as a key factor to explain this data breach, since it does not grant a proper security level out-of-the-box. As a matter of fact, authentication was added to the open source version only in May 2019 and it is still true that ElasticSearch security features require a paid subscription to license the use of its security module. Interestingly, however, Amazon released a free and open source security module for ElasticSearch as part of their Open Distro project.