microsoft customer support database breach case study

Microsoft Exposes 250M Customer Support Records on Leaky Servers

Sergiu gatlan.

• January 22, 2020

Microsoft disclosed a security breach caused by a misconfigured internal customer support database that led to the accidental exposure of roughly 250 million customer support and service records, some of them containing personally identifiable information.

"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data," Microsoft said in a blog post published today.

"Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access."

Most records automatically anonymized

Microsoft didn't get into details such as the number of records exposed, the type of database that was left unprotected, or the type of personal information that was left in the open, only that data in the support case analytics database was "redacted using automated tools to remove personal information."

While most of the records stored within the heavily-redacted internal customer support database used for support case analytics did not contain personal information, some non-standard PII wasn't anonymized.

For instance, email addresses separated with spaces like 'username @ domain.com' instead of '[email protected]' were left untouched by Microsoft's automated PII redaction tools.

We're committed to the privacy & security of our customers and want to be transparent about the misconfiguration of a heavily-redacted internal customer support database used for support case analytics that was exposed to the internet for a matter of days. https://t.co/cMDzrIfA0k — Security Response (@msftsecresponse) January 22, 2020

However, Security Discovery's Cyber Threat Intelligence Director Bob Diachenko, the researcher who reported the exposed data to Microsoft was able to tell BleepingComputer that the 250 million customer support and service records were stored on five identical ElasticSearch clusters.

The records contained "contained chats, cases descriptions - everything you can imagine being part of MS CSS daily routine," he added. Diachenko also confirmed that "most of the data had PII redacted automatically" in the exposed database.

As he also revealed in a report published in collaboration with Comparitech, the records that weren't properly anonymized exposed customer email addresses, IP addresses, locations, CSS claims and case descriptions, Microsoft support agent emails, and internal notes marked as "confidential."

Diachenko also shared that Microsoft's support team secured the databases on December 30, a day after the report he sent on December 29.

Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve. https://t.co/PPLRx9X0h4 — Bob Diachenko (@MayhemDayOne) January 22, 2020

Microsoft also shared in their disclosure that the company is taking measures to prevent future incidents involving customer data.

As the blog post says, Microsoft will start:

• Auditing the established network security rules for internal resources. 
• Expanding the scope of the mechanisms that detect security rule misconfigurations.  
• Adding additional alerting to service teams when security rule misconfigurations are detected. 
• Implementing additional redaction automation.  

Related Articles:

New Windows 11 recovery tool to let admins remotely fix unbootable devices

Microsoft shares more details on Windows 11 admin protection

Microsoft launches Zero Day Quest hacking event with $4 million in rewards

Diagrams made easy—Visio Pro is now $18 for a limited time

Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws

• Security Breach
• Previous Article
• Next Article

Post a Comment Community Rules

You need to login in order to post a comment.

Not a member yet? Register Now

You may also like:

Phishing emails increasingly use SVG attachments to evade detection

T-Mobile confirms it was hacked in recent wave of telecom breaches

Security plugin flaw in millions of WordPress sites gives admin access

Automate all things security in the Blink of AI

How to leverage $200 million FCC program boosting K-12 cybersecurity

The Actual Cost of Forgotten Passwords

Cynet delivers 426% ROI in Forrester Total Economic Impact Study

Solving the painful password problem with better policies

Help us understand the problem. What is going on with this comment?

• Abusive or Harmful
• Inappropriate content
• Strong language

Read our posting guidelinese to learn what content is prohibited.