from the they-would-say-that-wouldn't-they? dept.
Microsoft Confirms Customer Data Leak but Disputes Scope
Microsoft confirms customer data leak but disputes scope:
Microsoft has confirmed a data leak linked to a misconfigured server for a cloud storage service but is disputing the extent of the problem.
In a revelation this week, Microsoft's Security Response Center (MSRC) said the cloud provider was notified by threat intelligence firm SOCRadar on September 24 about the misconfigured endpoint that exposed business transaction data related to interactions between Microsoft and customers.
The information included planning or potential implementation and provisioning of Microsoft services, according to MSRC. Once notified, Microsoft secured the endpoint, which now can only be accessed through required authentication.
"Our investigation found no indication customer accounts or systems were compromised," the unit wrote. "We have directly notified the affected customers."
However, in a report also released this week, SOCRadar researchers wrote that the misconfigured server exposed sensitive data including proof-of-execution and statement-of-work documents, user information, product offers and orders, project details, and personally identifiable information (PII).
The documents may have also revealed intellectual property, they claim.
Microsoft Leaked 2.4TB of Data Belonging to Sensitive Customer. Critics are Furious
Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious:
Microsoft is facing criticism for the way it disclosed a recent security lapse that exposed what a security company said was 2.4 terabytes of data that included signed invoices and contracts, contact information, and emails of 65,000 current or prospective customers spanning five years.
The data, according to a disclosure published Wednesday by security firm SOCRadar, spanned the years 2017 to August 2022. The trove included proof-of-execution and statement of work documents, user information, product orders/offers, project details, personally identifiable information, and documents that may reveal intellectual property. SOCRadar said it found the information in a single data bucket that was the result of a misconfigured Azure Blob Storage.
Microsoft posted its own disclosure on Wednesday that said the security company "greatly exaggerated the scope of this issue" because some of the exposed data included "duplicate information, with multiple references to the same emails, projects, and users." Further using the word "issue" as a euphemism for "leak," Microsoft also said: "The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability."
Absent from the bare-bones, 440-word post were crucial details, such as a more detailed description of the data that was leaked or how many current or prospective customers Microsoft really believes were affected. Instead, the post chided SOCRadar for using numbers Microsoft disagreed with and for including a search engine people could use to determine if their data was in the exposed bucket. (The security company has since restricted access to the page.)
When one affected customer contacted Microsoft to ask what specific data belonging to their organization was exposed, the reply was: "We are unable to provide the specific affected data from this issue." When the affected customer protested, the Microsoft support engineer once again declined.
Critics also faulted Microsoft for the way it went about directly notifying those who were affected. The company contacted affected entities through Message Center, an internal messaging system that Microsoft uses to communicate with administrators. Not all administrators have the ability to access this tool, making it likely that some notifications have gone unseen. Direct messages displayed on Twitter also showed Microsoft saying that the company wasn't required by law to disclose the lapse to authorities.
(Score: 3, Touché) by SomeGuy on Monday October 24 2022, @11:27AM (1 child)
(sarcasam) But, but, but, but, the cloud is perfectly secure and reliable! The advertisements said so!
(Score: 3, Touché) by Opportunist on Monday October 24 2022, @03:53PM
Any German could have told you not only how to spell it properly but also what it means [leo.org].
("klaut" is imperative plural of "klauen", i.e. the command towards a bunch of people to do it)
(Score: 3, Insightful) by PiMuNu on Monday October 24 2022, @11:46AM
> wasn't required by law to disclose the lapse to authorities.
Not a European customer, then. And none of the leaked data pertained to Europeans. I assume they have checked this (lol)?
(Score: 5, Funny) by looorg on Monday October 24 2022, @03:27PM
Hi I'm Clippy the data-security-guardian! It looks like you suffered a data-breach and someone stolen some of your precious data bits. Would you like to know what you did wrong? [CANCEL] [HELP] [BLAME HAXXORS]