Database security breach is something that millions of Internet users are worried about. The latest news comes from Microsoft which reported that about 250 million Customer Service and Support (CSS) records was “accidently” exposed on the web.
The leaked database information contained details of conversations between Microsoft support agents and customers from across the globe since 2005 up till December 2019. As per insiders, the data exposed could have been accessed by anyone via a web browser as there was no need to key in the password or any authentication code.
On December 28, it was Bob Diachenko, a security researcher with Comparitech, who first found out the database has been compromised. The very next day, he reported the same issue to Microsoft resulting in immediate action by the US-based technology major. The engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access.
Kudos to MS Security Response team – I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve. https://t.co/PPLRx9X0h4
— Bob Diachenko (@MayhemDayOne) January 22, 2020
As the investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics has come to an end, the tech giant has announced that there was no malicious use of the information.
“Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices. In some scenarios, the data may have remained unredacted if it met specific conditions,”
“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate,” Ann Johnson, Corporate Vice President – Cybersecurity Solutions Group and Eric Doerr, General Manager – Microsoft Security Response Center said in a blog post.
In order to prevent any future occurrences of database misuse, Microsoft charted out following measures to take the issue head on:
- Auditing the established network security rules for internal resources
- Expanding the scope of the mechanisms that detect security rule misconfigurations
- Adding additional alerting to service teams when security rule misconfigurations are detected
- Implementing additional redaction automation
Emphasising on the fact that misconfigurations are unfortunately a common error across the industry, the officials added, “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”
For the latest gadget and tech news, and gadget reviews, follow us on Twitter, Facebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App.