Microsoft is facing criticism for the way it disclosed a recent security lapse that exposed what a security company said was 2.4 terabytes of data that included signed invoices and contracts, contact information, and emails of 65,000 current or prospective customers spanning five years.
The data, according to a disclosure published Wednesday by security firm SOCRadar, spanned the years 2017 to August 2022. The trove included proof-of-execution and statement of work documents, user information, product orders / offers, project details, personally identifiable information , and documents that may reveal intellectual property. SOCRadar said it found the information in a single data bucket that was the result of a misconfigured Azure Blob Storage.
Microsoft can’t, or Microsoft won’t?
Microsoft posted its own disclosure on Wednesday that said the security company “greatly exaggerated the scope of this issue” because some of the exposed data included “duplicate information, with multiple references to the same emails, projects, and users.” Further using the word “issue” as a euphemism for “leak,” Microsoft also said: “The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability. “
Absent from the bare-bones, 440-word post were crucial details, such as a more detailed description of the data that was leaked or how many current or prospective customers Microsoft really believes were affected. Instead, the post chided SOCRadar for using numbers Microsoft disagreed with and for including a search engine people could use to determine if their data was in the exposed bucket. (The security company has since restricted access to the page.)
When one affected customer contacted Microsoft to ask what specific data belonging to their organization was exposed, the reply was: “We are unable to provide the specific affected data from this issue.” When the affected customer protested, the Microsoft support engineer once again declined.
Critics also faulted Microsoft for the way it went about directly notifying those who were affected. The company contacted affected entities through Message Center, an internal messaging system that Microsoft uses to communicate with administrators. Not all administrators have the ability to access this tool, making it likely that some notifications have gone unseen. Direct messages displayed on Twitter also showed Microsoft saying that the company wasn’t required by law to disclose the lapse to authorities.
“MS being unable (read: refusing) to tell customers what data was taken and apparently not notifying regulators — a legal requirement — has the hallmarks of a major botched response,” Kevin Beaumont, an independent researcher, wrote on Twitter. “I hope it isn’t.”
He went on to post screenshots documenting that the exposed data has been publicly available for months on Grayhat Warfare, a database that sweeps up and stores data exposed in public buckets.
As the Grayhat Warfare images Beaumont posted indicate, the cached data included digitally signed contracts and purchase orders. He said that other exposed data includes “emails from US .gov, talking about O365 projects, money etc.” It also included information pertaining to CNIshort for critical national infrastructure.
Besides criticism of the way Microsoft has gone about disclosing the leak, the incident also raises questions about Microsoft’s data retention policies. Often, years-old data is of more benefit to potential criminals than it is to the company holding it. In cases like these, the best course is often to periodically destroy the data.
Microsoft didn’t immediately respond to an email seeking comment for this story.
Prospective or actual Microsoft enterprise customers over the past five years should review both blog posts linked above and also check Message Center for any exposure notifications. In the event an organization is affected, personnel should be on the lookout for scams, phishing emails, or other attempts to exploit the exposed information.