The question is, then, how can other organizations avoid finding themselves in a similar sticky security situation? "It's a common mistake in any environment where data is stored," Bischoff says, "security groups set firewall rules that decide who can access what from where (or what device)." However, all of those aspects need to be audited on a regular basis, "to ensure security groups work as intended," according to Bischoff. It’s known that this exposure came about as a result of misconfigured security rules on the server holding the Microsoft customer services and support data. "It kind of demoralizes my soul when even the vendor can’t seem to get it right," Thornton-Trump says, "and why the vendor is storing such ancient records in the first place? I think it’s time for governments to start dropping the hammer on these very preventable data breaches." What positives can other organizations take away from this incident?
#Microsoft money 2005 premium patch windows 10
Given that there has already been interest from European data protection agencies regarding how Microsoft collects data from Windows 10 users, it wouldn't surprise me if there are now further investigations with a view to EU General Data Protection Regulation (GDPR) penalties. "This is massive, and not unexpected to be honest," he said, "it just shows how difficult it is for anyone, even a giant tech company, to manage data and storage correctly." I asked Ian Thornton-Trump, CISO at Cyjax and co-host of the BeerConOne virtual security conference, for his thoughts about this incident. The statement included an apology from Microsoft: "We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence." It’s time for governments to start dropping the hammer on very preventable data breaches That posting also confirmed that the exposure of the database started on December 5, 2019, as the result of misconfigured security rules, and was remediated on December 31. This may seem like no big deal in the overall scheme of things, but when you consider that Microsoft support scams are pretty rampant, it doesn't take a genius to work out how valuable such information would be to the fraudsters carrying out such attacks.
However, the researchers say that many contained plain text data including customer email addresses, IP addresses, geographical locations, descriptions of the customer service and support claims and cases, Microsoft support agent emails, case numbers and resolutions, and internal notes that had been marked as confidential. The nature of the data appears to be that much of the personally identifiable information was redacted. When I say unsecured, I mean that the data was accessible to anyone with a web browser who stumbled across the databases: no authentication at all was required to access them, according to the Comparitech report. Incredibly, the unsecured Elasticsearch servers contained records spanning a period from 2005 right through to December 2019. Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world. Paul Bischoff, a privacy advocate and editor at Comparitech, has revealed how an investigation by the Comparitech security research team uncovered no less than five servers containing the same set of 250 million records. What Microsoft customer records were exposed online, and where did they come from?
0 kommentar(er)
