Microsoft, on Wednesday, disclosed that on December 29, a security researcher notified the company of a massive database error that left 250 million customer records vulnerable to attack. Microsoft published a blog post that says the vulnerability was the result of a "misconfiguration of an internal customer support database used for Microsoft Support case analytics," though it claims it hasn't found any evidence that the information was compromised.
The company implemented a fix for the database error within two days after it was notified, and says it believes that no customer information was affected. Still, Microsoft has begun notifying customers whose information is included in the database so that they are aware that their data could have been compromised.
In most cases, Microsoft says that personally identifiable information was redacted from the database, which was used for analyzing support cases. In some instances, however, email addresses or other personal information may have been included.
Since the database included information about support cases, a breach could potentially make it easier for a scammer to impersonate Microsoft customer support personnel and attempt to gain access to a customer's account, computer, or data. These types of scams are not uncommon, but rarely does an attacker have actual customer information to use as a starting place.
Microsoft says that the misconfiguration occurred when security rules for the database were updated on December 5, causing the records to be exposed. While the company doesn't believe any customer information was breached, the data was exposed for 24 days, leading to the possibility that it could have been accessed. The company pointed out that this type of mistake is far too common, and encourages customers to evaluate their own system setup.
Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we've learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.
On Microsoft's part, the company has said it is implementing changes to prevent this type of vulnerability in the future. Those changes include evaluating and auditing the company's "established network security rules for internal resources," as well as implementing mechanisms designed to detect security rule misconfigurations and notify security teams when they are discovered. Additionally, the company is making changes to the way it redacts personal information for this type of database to prevent unintended exposure.
If you're a Microsoft Support customer, you're probably wondering whether you should do something. Microsoft says it is notifying customers who may have had their information included in the database.
Unfortunately, Microsoft is right--there are far too many examples of customer information being exposed by companies that fail to have adequate protection in place. In fact, this incident is the second time Microsoft has reported that customer information may have been compromised last year.
And Microsoft certainly isn't the only company that has had a problem with keeping customer data secure. Facebook, Equifax, and others have been the target of high-profile attacks or exposures. That means it's on you to be vigilant and take responsibility for your own information and privacy protection.
That means it's also worth reminding ourselves that if you receive an email or phone call that just doesn't seem right, don't give out any personal or company information. Always use official channels to get support, and if you haven't requested an email or phone call response, assume that any communication should be treated with suspicion.