Microsoft in a recent blog post has disclosed details regarding a security breach that took place in December 2019.
According to the blog post, the error was due to the misconfiguration of an internal customer support database, which was used to support case analytics.
This incident accidentally exposed nearly 250 million “Customer Service and Support” (CSS) records online between December 5 and December 31 that were accessible to anyone with internet access and had no password protection or encryption.
“Our investigation has determined that a change made to the database’s network security group on December 5, 2019, contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019, to restrict the database and prevent unauthorized access.
This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services,” Microsoft stated in a blog post.
The records involved conversation logs between Microsoft support agents and customers across the globe spanning from 2005 right through to December 2019.
The unprotected database was spotted by Bob Diachenko, a security researcher with Security Discovery who reported it to Microsoft. The company quickly jumped to address the issue the same day Diachenko reported it, even though it was New Year’s Eve.
According to Diachenko, the customer support database consisted of a cluster of five Elasticsearch servers used to help simplify search operations. All the five servers stored the same identical set of 250 million records.
“I immediately reported this to Microsoft and within 24 hours all servers were secured,” Diachenko said. “I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”
Microsoft points out that the “vast majority of records were cleared of personal information.” Any personally identifiable information was already redacted from the records. The company also ruled out any malicious intent or use of the exposed data.
“While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable,” Microsoft said.
“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database.”
The company has already begun notifying affected customers whose data was included in the exposed CSS database.
Microsoft also praised Diachenko for his efforts and said, “We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”
