Skip to main content
close search
site logo
Dive Brief

Misconfigured Microsoft database exposes 250M customers' information

Published Jan. 23, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Kendall Davis for CIO Dive

Dive Brief:

  • Microsoft left a database holding support case analytics of 250 million customers exposed from Dec. 5, 2019 until remediation on Dec. 31, according to the company's disclosure Wednesday and research from Comparitech
  • Bob Diachenko, head of Comparitech's security research, found the open servers on Dec. 29 and notified Microsoft. The software company found misconfigured security rules, and while the company has "solutions" in place to prevent human error, "they were not enabled for this database." 
  • The records date back to 2005, but personally identifiable information (PII) was redacted in most cases. Exposed records included email addresses, IP addresses, locations, CSS claims and cases, and "confidential" internal notes. Microsoft is notifying customers, but the type of impacted customers is unknown. 

Dive Insight:

While Microsoft's investigation concluded on Wednesday, the company secured the exposed database within 24 hours of Diachenko's discovery. 

Speed of recovery is an essential piece to data breaches and how potential privacy fines are calculated. Microsoft, which has extended rights from the General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA) to all its customers, is sitting in a potential privacy conundrum.

The breach occurred before CCPA's Jan. 1 enactment. "The penalty could have been in the billions if this breach had occurred after Dec 31, 2019," said Pravin Kothari, CEO of CipherCloud, in an emailed statement to CIO Dive. The CCPA can levy a fine up to $750 per individual harmed by a breach. 

Privacy-related fines are secondary to the immediate impact customers might feel following a breach. "Customers don't have any control over data leaks such as this," Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, told CIO Dive in an email. 

As the exposed database was hosted on Microsoft Azure, it's advisable for cloud customers to "change passwords for all associated email addresses, and not open emails looking to be from Microsoft support," she said. "If you receive phone calls from Microsoft support, don’t provide any information." 

Microsoft's database didn't require a password or authentication while it was exposed, a lesson to learn for organizations with access-centric security models need to transition to data-centric, said Kothari. 

When Quest Diagnostics and LabCorp experienced a supply chain data breach, experts feared socially engineered cyberattacks as a result. Attackers could pose an email as lab results, pretending to be a medical provider. 

The same is true for tech support. Comparitech said bad actors could "impersonate Microsoft staff" as the company is "the most popular operating system in the world."

Recommended Reading

Filed Under: Security, Corporate

Editors' picks

Company Announcements

View all | Post a press release
Revenera Monetization Monitor 2025: Product Usage Insights Drive Better Roadmaps
From Revenera
November 25, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell