Microsoft last December misconfigured five Elasticsearch servers – each one containing the same data set of 250 million customer support records – leaving their information publicly exposed on the internet, according to researchers.
The configuration error occurred on Dec. 5, 2019 and was remedied by Dec. 31, shortly after Bob Diachenko, head of Comparitech's security research team, notified Microsoft of the issue. "I immediately reported this to Microsoft and within 24 hours all servers were secured,” Diachenko said. "I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve."
The five openly configured servers comprise an internal customer support database that Microsoft leverages for analytics purposes. The records stored within consist of logs of interactions between Microsoft users and support agents, which take place over a 14-year period from 2015 through December 2019.
Most personally identifiable information such as email aliases, contract numbers and payment information was redacted from the records with the help of automated tools. But Diachenko found that in some cases certain PII sneaked through in plain text, including customer email addresses; IP addresses; locations; descriptions of customer support claims and cases; Microsoft support agent emails; case numbers, resolutions and remarks; and confidential internal notes.
In its own blog post, the MSRC team said that the automated tools may have failed to redact certain data if it was originally entered in a non-standard format, for instance if an email address contained a space between the username component and the "@" symbol and domain name.
Ekaterina Khrustaleva, COO of web security company ImmuniWeb, said that the relative lack of PII in the dump is "irrelevant here, given that technical support logs frequently expose VIP clients, their internal systems and network configurations, and even passwords. The data is a gold mine for patient criminals aiming to breach large organizations and governments."
It is not known if any unauthorized parties, including malicious actors accessed any of the leaked data in this particular case.
"Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database," said Microsoft's blog post, which was attributed to Ann Johnson, corporate vice president of the company's Cybersecurity Solutions Group; Eric Doerr, general manager of MSRC; and the MSRC team. "As we've learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available."
"Organizations need to change their security approach from access centric to data-centric. It's even more important to protect your data with encryption, as you can assume that the data would be either leaked by user errors or hackers would get to your data, sooner or later," said Pravin Kothari, founder and CEO of CipherCloud. "It’s also a wake-up call for businesses to be aware of cloud weaknesses and prepare for California Consumer Privacy Act. The penalty could have been in the billions if this breach had occurred after Dec 31, 2019," when the law took effect.
"What sticks out about this incident is the fact that in early November 2019, Microsoft announced that it will honor CCPA throughout the U.S., and it was the first company to extend GDPR rights to customers around the world. This shows that even a forward-thinking company like Microsoft, who is unrelentingly dedicated to protecting their customers, can suffer a data breach due to misconfigurations," said Chris DeRamus, CTO and co-founder of DivvyCloud. "This illustrates that being compliant does not guarantee that you are secure, especially for companies that have adopted cloud and multi-cloud environments. The software-defined nature of the cloud leads to frequent changes and it is important that organizations implement a continuous and automated cloud security strategy in order to detect and remediate threats such as misconfigurations and compliance violations in real-time."
Microsoft said that in response to its mistake, it was taking steps to audit its network security rules for internal resources, expand "the scope of mechanisms that detect security rule misconfigurations"; implement additional alerts for when misconfigurations are detected; and enhance the automation of redactions.