Microsoft disclosed a security breach that led to the accidental exposure of around 250 million customer support and service records, some containing personally identifiable information, between 05 and 31 December 2019. The exposure was caused by a misconfigured internal customer support database, which consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations.
Microsoft's security teams were working overtime to close a potentially enormous security loophole. On Thursday, the company disclosed a database error that temporarily left approximately 250 million customer service and support records accessible to anyone with a web browser. pic.twitter.com/usv4Bz7TPs
— Intel Ape (@IntelApe) January 23, 2020
This is a fairly common type of hack. Overly permissive permissions abound on servers and cloud products all over the Internet. Having worked for Microsoft for 15 years, 11 years as a full-time employee, I’ve seen firsthand how much they try to fight scenarios like this. There are multiple layers of controls and education designed to stop it from happening. And it shows you how hard it is to prevent it 100% of the time. Nothing is perfect. Mistakes and leaks happen. Every organization has overly permissive permissions. Every! It’s just a matter of if someone outside the organization discovers it or if someone takes advantage of it. In this case, as bad as it is, it was discovered by someone who didn’t do malicious things with it. Sure, the data, sitting unprotected, could have also been used by the bad guys, but so far no one has made that case or provided evidence that it has been used maliciously. So far, all that is known is that a security researcher found it and reported it. That’s a pretty good outcome if that\’s all that happens. The question is how any organization treats a report like this. I know Microsoft is treating it seriously and looking at how it happened. Because that’s the most important part. Anyone can have a mistake. The most important question is how the mistake happened and how to prevent it from happening next time, and if there are any others that could have happened from the same set of circumstances. As long as the organization uses the report to aggressively figure out what happened and fix it, it’s not necessarily the worst thing to happen…to the organization or the customer’s data they protect. It makes it more likely that customers\’ data will be better protected now and in the future. I know Microsoft is going to do that. But if another organization got the same report, fixed the permissions, and went on with life without finding out HOW it happened…well, that’s a different story.
This incident shows that even the smallest misconfiguration error can place large amounts of consumer data at risk. Microsoft should be applauded for its swift response, even during the holiday season. With email addresses and knowledge that a consumer contacted Microsoft support, cybercriminals can launch targeted spear-phishing attacks that could have high success rates, so anyone that has been contacted by Microsoft about this leak should remain extra vigilant online. If you receive an email that looks to be from Microsoft support, don’t open it – contact customer services instead.
Yet another cybersecurity prophecy has become reality, with Matthew Rathbun, CISO for Azure Government stating, \”Ninety percent of my threat landscape starts with a human, either maliciously or inadvertently, making a mistake that somehow compromises security.\” Despite spending over $1 billion annually on cybersecurity, Microsoft has exposed data on 250 million customers by exposing several databases that had no password protection or encryption, the most basic of security measures.
There have been countless exposures of critical data over the past couple of years, all of which follow the same script: customer data gets uploaded to cloud server; well-meaning developer neglects to password protect or encrypt that externally exposed database; and then enters hacker or threat researcher stage.
It’s becoming clear that the growing complexity of securing IT assets is an enormous challenge, even for giants like Microsoft. Enterprises must put procedures and systems in place that tighten its configuration process and uses automation wherever possible. Monitoring application and device settings and comparing these to recommended best practices reveals the threat for misconfigured devices located across your network and across all servers.
Misconfiguring a cloud server can have massive consequences, especially when the server contains hundreds of millions of customers’ records. Aside from this incident with Microsoft, we have seen misconfigured Elasticsearch servers become an increasingly common culprit that recently caused data leaks at companies including Rubrik, Voipo, Gearbest, Meditab, and Dow Jones.
What sticks out about this incident is the fact that in early November 2019, Microsoft announced that it will honor CCPA throughout the U.S., and it was the first company to extend GDPR rights to customers around the world. This shows that even a forward-thinking company like Microsoft, who is unrelentingly dedicated to protecting their customers, can suffer a data breach due to misconfigurations. If they can be affected, anyone can. This illustrates that being compliant does not guarantee that you are secure, especially for companies that have adopted cloud and multi-cloud environments. The software-defined nature of the cloud leads to frequent changes and it is important that organizations implement a continuous and automated cloud security strategy in order to detect and remediate threats such as misconfigurations and compliance violations in real-time.
Additionally, organizations must be cognizant of their cloud service providers\’ storage access policies and use these policies to define access. Microsoft must ensure that their security team understands that incorrectly configured policies can result in costly damages. In this instance, because the records exposed include customer email and IP addresses, affected customers should be on high alert for phishing scams.
Assuming the data was not exploited by malicious actors as per the official statement, there is not much practical risk so far. However, it is impossible to say whether the information from this server, or other presumably existing servers, has ever been detected and stolen by cybercriminals.
The absence of PII* in the dump is irrelevant here, given that technical support logs frequently expose VIP clients, their internal systems and network configurations, and even passwords. The data is a gold mine for patient criminals aiming to breach large organizations and governments.
Worse, many large companies and not only Microsoft have lost visibility of their external attack surface, exposing their clients and partners to significant risks. We will likely see a multitude of similar incidents in 2020.