Microsoft announced this week that it had accidentally exposed over 250 million customer support records. The support requests were left on exposed servers without password protection from December 5 to December 31, 2019. The software giant says that a change made to the database’s network security group on December 5, 2019, had misconfigured security rules that allowed the data to be exposed.
Engineers were notified of the issue on December 31, 2019, and restricted the database to prevent unauthorized access. Microsoft says that the investigation found no malicious use of the data. It also notes that most customers didn’t have personally identifiable information exposed.
Microsoft says that it wanted to be transparent about the incident and reassure all customers that it was holding itself accountable and taking the issue seriously. The vast majority of records were cleared of personal information. However, some of the information may have been non-redacted.
Microsoft is taking action to prevent this sort of issue from happening again. It plans to audit the established network security rules for internal resources. It will expand the scope of mechanisms that detect security rule misconfigurations. It will also add additional alerting service teams when misconfigurations are detected. Additional redaction automation will also be added.