Maxim_Kazmin - Fotolia
Microsoft became the latest organization to accidentally expose private data on the web.
The software giant Wednesday admitted it had exposed 250 million customer support records on five Elasticsearch servers, which were inadvertently made publicly accessible on the web for nearly a month.
According to Comparitech, which discovered the exposure, most personally identifiable information (PII) such as payment information was redacted. However, exposed information included customer email addresses, IP addresses, locations, descriptions of customer service and support claims and cases, Microsoft support agent emails, case numbers, resolutions, remarks, and internal notes marked as confidential.
"I was immediately stunned by the size and by the structure of data there, and even when I saw that most of the data there was automatically redacted, still there were some records with personal data in plain text," Bob Diachenko, leader of Comparitech's security research team, told SearchSecurity.
Microsoft, which corrected the misconfiguration last month, issued a statement that said it found no malicious use of the exposed data. The company said its investigation found that misconfigured Azure security rules were applied to the databases in early December.
On Dec. 28, according to Comparitech, the databases were first indexed by BinaryEdge, a search engine. One day later, Diachenko discovered the exposed databases and immediately contacted Microsoft. Within two days, the servers and data were secured.
"They acted really quickly and professionally," Diachenko said. "In general, Microsoft's response was exemplary. I wish every company would have such a brilliant internet response protocol in place."
"We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database," Microsoft said in its statement. It is unknown what these solutions are and why they weren't in place; when SearchSecurity contacted Microsoft, the company declined to comment beyond the public statement.