Microsoft announced today that an internal customer support database experienced a security breach in December 2019.
The technology company’s announcement came via a blog post published on Wednesday, January 22 on the Microsoft Security Response Center blog. According to the post, the breach occurred on December 5, 2019 and involved the “misconfiguration of an internal customer support database used for Microsoft support case analytics.” Essentially, the breach occurred when a change was made to the database’s network security group. This change carried with it “misconfigured security rules” which then caused the exposure of customer data. And according to ZDNet, the servers affected by the breach “contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details.”
This misconfiguration came to Microsoft’s attention on December 31, 2019 and was fixed that day as well. Microsoft was alerted to the breach by security researcher Bob Diachenko of Security Discovery.
According to Microsoft’s blog post, the security breach only involved “an internal database used for support case analytics” and Microsoft maintains that the breach didn’t involve an exposure of its commercial cloud services. In addition, Microsoft’s investigation into the matter found that there was “no malicious use” and that, for the most part, its customers “did not have personally identifiable information exposed.” But there is a caveat. While most customers may be unaffected by the breach because of company practices requiring the redaction of personal information via automated tools, the technology company did say that some customer data may have been exposed in the breach due to the following exception:
“In some scenarios, the data may have remained unredacted if it met specific conditions. An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, ‘XYZ @contoso com’ vs ‘[email protected]’).”
Microsoft has said that for these special cases, it has started to notify the customers whose data may have been exposed in the breach. The software and technology company also said that it is planning on implementing the following practices to help prevent such a breach in the future:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.