Privacy - Wat niemand over je mag weten

Datalek bij Microsoft

22-01-2020, 16:00 door SecOff, 2 reacties
Zojuist je bijgaande communicatie van MS gekregen:

Microsoft database containing Customer Support data was accessible from the Internet

Microsoft has corrected an issue identified by a third-party security researcher where a database containing a subset of information related to customer support interactions was accessible to the internet between the dates of December 5, 2019 and December 31, 2019. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services. Once identified, Microsoft mitigated the issue, and our security team’s investigation found no indication of malicious use of the database records. Our analysis of the support information indicates that specific personal or organizational identifiable information related to your support case was potentially visible.

You are receiving this message as a global administrator, account administrator, or technical contact for your organization’s tenant. As a result of this issue, the support data exposed may include the following:

System generated data related to support cases such as:
Resource location
Contact information provided to support agents or contained in customer support requests:
Email addresses
Telephone numbers
Internet Protocol (IP) addresses
Information shared with support agents as part of the support case interaction such as:
Descriptions of technical issues
Issue reproduction steps
Information shared to assist support agents with troubleshooting
Affected customers are being notified of this event. To obtain the data specific to your organization that were potentially exposed, please submit an Azure support request.

Summary of event

During the investigation, we determined that this information was potentially exposed due to a misconfiguration of network security group security rules.

Microsoft engineers determined that a change made to the database's network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the database information. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access.

As part of Microsoft’s standard operating procedures, data stored in the database is redacted using automated tools to remove personal information. Our investigation confirmed that the vast majority of records were redacted as intended. In some scenarios, the data may have remained unredacted if it met specific conditions. An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format “XYZ @contoso com” vs “”. We have begun notifications to customers whose data was present in this redacted database.

We are committed to the privacy and security of your data and are taking action to prevent future occurrences of this issue. These actions include:

Audit the established network security rules for internal resources.
Expand the scope of the mechanisms that detect security rule misconfigurations.
Add additional alerting to service teams when security rule misconfigurations are detected.
Implement additional redaction automation.
Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your configurations and ensure your own configurations and ensure you are taking advantage of all protections available.

This documentation is included as general guidance and is not intended to be all-inclusive for how to configure your environment.
Reacties (2)

Deze posting is gelocked. Reageren is niet meer mogelijk.