Microsoft Misconfiguration Exposes Customer Data

Written by

Microsoft has confirmed that a misconfigured endpoint unintentionally leaked business and personally identifiable information (PII) for some customers.

The tech giant said it was informed about the incident by threat intelligence firm SOCRadar on September 24, and secured the endpoint soon after with authentication.

“This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,” it said.

“The business transaction data included names, email addresses, email content, company name and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner.”

SOCRadar claimed in its own blog post yesterday that as many as 65,000 “entities” across 111 countries worldwide had been impacted by the leak. It noted that the incident stemmed from a misconfigured Azure Blob Storage bucket.

The firm acknowledged that Microsoft fixed the misconfiguration within hours.   

However, the Redmond giant claimed SOCRadar “greatly exaggerated” the size of the leak and took other actions not conducive to enhancing customer security.

“Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error,” it said.

“More importantly, we are disappointed that SOCRadar has chosen to release publicly a ‘search tool’ that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”

It said all affected customers have been notified by the firm.

What’s hot on Infosecurity Magazine?