For the better part of December, a Microsoft database containing customers’ private information was exposed to the internet.
Microsoft was made aware of the vulnerability by a third-party security researcher. When the company looked into it, it found that the database was accessible to the internet between December 5, 2019 and December 31, 2019.
It stated that the internal database was used for support case analytics and did not represent an exposure of Microsoft’s commercial cloud services.
Microsoft found out that the information was potentially exposed due to a misconfiguration of network security group security rules that enabled exposure of the database information.
The Redmond-based business is said to have mitigated the problem. It also said that data stored in the database was automatically redacted to remove personal information.
System generated data related to support cases such as resource location, contact information provided to support agents or contained in customer support requests, email addresses, telephone numbers and IP addresses.
Other data exposed also included information shared with support agents as part of the support case interaction such as descriptions of technical issues, issue reproduction steps and information shared to assist support agents with troubleshooting.
It is now reaching out to customers who were potentially exposed through the vulnerability.
Affected customers are being notified of this event.
“Misconfigurations are unfortunately a common error across the industry,” Microsoft said in the email going out to customers. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your configurations and ensure your own configurations and ensure you are taking advantage of all protections available.”
The statement added, “Once identified, Microsoft mitigated the issue, and our security team’s investigation found no indication of malicious use of the database records.”
Copyright © 2018 RegTech Analyst