Big tech companies really cannot keep a lid on the big jar they keep our data in? We are barely into 2020, and Microsoft has admitted that it ‘accidentally’ made the service and support records of more than 250 million customers accessible to anyone with a web browser and connected to the world wide web. Albeit this was temporary. And it was because of a database error. Microsoft takes pains to insist that no personally identifiable information was exposed and that their investigations do not suggest any malicious use of the data that was left available to anyone on the world wide web.
“Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services,” says the official statement released by the Microsoft Security Response Center.
For Microsoft, this is the second major data security incident in the past year. In April 2019, the company had confirmed that hackers had accessed the customer support system and gotten their hands-on email accounts of some of its users.
With regards to the latest incident, the Comparitech security research team led by Bob Diachenko had discovered that the data was exposed on five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. They believe that the data which was temporarily exposed included the email addresses of customers, their IP addresses, location data as well as case numbers and possible resolutions.