Microsoft Customer Data Exposed by Misconfigured Server
The data exposure was the result of an "unintentional misconfiguration on an endpoint" and not a security vulnerability, Microsoft said.
Sensitive information for some Microsoft customers were exposed by a misconfigured server, Microsoft Security Response Center said on Wednesday. The misconfigured endpoint was accessible on the Internet and did not require authentication.
The exposed information included names, email addresses, email content, company name, phone numbers, and files "relating to business between a customer and Microsoft or an authorized Microsoft partner," the company said. The endpoint has already been secured to require authentication, and affected customers have been notified.
"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said, noting that there is no indication that customer accounts or systems had been compromised.
Microsoft learned of the misconfiguration on Sept. 24 from a research team at SOCRadar.
SOCRadar's researchers claimed in their own blog post to have found 2.4TB of emails and project files containing Statement of Work documents, product orders, project details, personally identifiable information, invoices, price lists, and "documents that may reveal intellectual property." The researchers claimed the exposed information could be linked to more than 65,000 entities from 111 countries.
Microsoft said SOCRadar "greatly exaggerated the scope of this issue" and did not account for duplicate records in its estimate of affected entities. Microsoft also said SOCRadar's decision to release a search tool to look through the files "is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk."
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024