Massive Microsoft Data Breach Could Have Been Avoided
Published: February 12, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
For all the wrong reasons, Microsoft recently made cybersecurity headlines yet again. According to the company, a whopping 250 million customer files spanning 14 years were discovered unsecured online. Security experts discovered Microsoft’s customer records were stored in a public-facing, cloud database with no password or authentication protection. In other words, the data of millions was there for the taking by anyone with a web browser and a little curiosity. Had someone at Microsoft been paying attention, this vexing situation could have been easily prevented. This latest breach is just the next in a line of recent disturbing security situations involving the technology giant and its customers.
The data exposed was literally up for grabs to the entire world for 25 days before the discovery. According to Microsoft, a change made to database security in December of last year contained misconfigured security rules leading to the publicly exposed customer data. The company said, “This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.” However, that’s cold comfort for Microsoft support service customers whose exposed plain text data included email and IP addresses, customer support claims and cases, as well as Microsoft’s case numbers, notes and support resolutions. But remember, Microsoft support scams still abound, and this most recent breach provides fraudsters with the ammunition they need to continue perpetrating such scams.
Among Microsoft’s other recent security woes includes public statement warnings by both the National Security Agency (NSA) Cybersecurity Directorate and the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) about an “extraordinarily serious” core cryptographic component that resides in Windows 10 and previous versions as well. Just days later, the company’s Internet Explorer zero-day vulnerability was brought to light. Although the weakness is currently actively being exploited, Microsoft is slated to release a security fix for the situation that has yet to arrive. About their latest data snafu, the company warns users “Remember that Microsoft never proactively reaches out to users to solve their tech problems—users must approach Microsoft for help first. Microsoft employees will not ask for your password or request that you install remote desktop applications…These are common tactics among tech scammers.”
If you are in charge of data, be sure to test that it is truly secure, especially if changes are made to the systems it resides on. A few extra minutes to check can prevent your organization from making headlines like this one.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org