New Year Off To A Rough Start. What Microsoft Data Breach Tells Us About 2020

Credits: The Washington Post / Tech Privacy Series 2019, by Matt Chinworth

 

Heightened tensions between the U.S. and Iran only three days into the year, bush fires of catastrophic proportions in Australia, and a novel coronavirus spreading fast in China and 2020 seems like is off to a rough start.

Is the world becoming an increasingly complicated place or are we simply becoming more aware?

 

History would disagree with the premise. 2020 seems like a walk in the park compared to 1945 of the nuclear bombing of Hiroshima and Nagasaki or 1941, the deadliest year of the Holocaust, when 6 million Jews died at the hands of Nazis. And if we continue to go back by the same principle, naturally, matters only worsen, like in 1914 when World War I begins or 1492 when Columbus reaches what is now America setting in motion a vicious process of enslavement and destruction causing the near-decimation of the indigenous, native population.

I could go as far as mentioning the plague or even the asteroid that stroke the dinosaurs, but I feel like we’re getting a little bit ahead of ourselves. And perhaps the mere comparison is just as unsettling and ultimately defeats the purpose of my premise, and I digress.

From the pragmatic to the existential, to the obscure, 2020 debuts with significant challenges, from Burkina Faso to Venezuela to Australia.

Maybe not as critical as all of the above, but certainly troubling is Microsoft’s 250 million customer service and support records that were breached due to server misconfigurations, leading to a rough start of the year in Silicone Valley, as well. 

Microsoft Data Breach – What happened?

 

Credits: Security@Me, behance.com

 

More than 250 million Microsoft customer service and support records were exposed for two full days. The data consisted of 14 years of customer and support records, dating back to 2005, mainly logs containing personally identifiable information such as email and IP addresses, payment information, locations, claims, cases, resolutions, and remarks. While payment information was redacted, everything else was in plain text form, so anyone with an internet connection could have accessed the data. 

A team of security researchers first discovered the data breach at Comparitech, who spotted 5 Elasticsearch servers where Microsoft stored the data set. Shortly after, they notified Microsoft, which secured the data, conducted an investigation in the next two days, and issued an apology. 

According to Microsoft, there were no signs of malicious use, assuring users that most personally identifiable information was scrapped before it was stored. For the rest of the information that was entered in non-standard formats, some of the data may have survived automatic scrubbing remaining as plaintext. On all these accounts, Microsoft claims everyone affected by the latter, was personally notified. 

What caused the data breach?

Upon investigation, Microsoft admitted to having misconfigured rules following a change in the database network security group. The company says they will be auditing policies and implement new tools to redact stored sensitive information and a new system to better monitor misconfigurations. 

What does the incident tell us about 2020?

After the 250 million records data breach, happening end of December, Microsoft experienced more security issues as 2020 started. An emergency security update was pushed after the NSA found a glitch in Microsoft’s cryptographic system. 

According to Chris DeRamus (Co-Founder of DivvyCloud), misconfigurations tell us a lot about the current state of affairs in 2020 network security: 

“Misconfiguring a cloud server can have massive consequences, especially when the server contains hundreds of millions of customers’ records. Aside from this incident with Microsoft, we have seen misconfigured Elasticsearch servers become an increasingly common culprit that recently caused data leaks at companies including Rubrik, Voipo, Gearbest, Meditab, and Dow Jones.

[…] What sticks out about this incident is the fact that in early November 2019, Microsoft announced that it will honor CCPA throughout the U.S., and it was the first company to extend GDPR rights to customers around the world. This shows that even a forward-thinking company like Microsoft, who is unrelentingly dedicated to protecting their customers, can suffer a data breach due to misconfigurations. If they can be affected, anyone can.”

He then goes on by saying that being compliant does not necessarily imply being secure in 2020, primarily for cloud and multi-cloud environments, as cloud by nature is made to accommodate frequent changes. Continuous automated cloud security strategy to detect and remediate misconfiguration needs to be in place, in real-time.

In 2020 data is the currency and sometimes even a political weapon to be reckoned with. In other words, data is today an informational, political and economic asset capable of traveling the speed of light in a vacuum( able to operate at 99.7% the speed of light according to researchers at the University of Southampton in England, source: Extreme Tech).

The digital world is now creating tangible value from big data so expect internet privacy to take an even more prominent route in the future. (Ain’t no going back)

Nowadays, security must come in layers, not only in the corporate environment but on a personal level also.

The number one thing you need to get in line with is being more security-aware. Having a VPN connection, for starters. It’s really simple to use and just like that poof! your data travels through an encrypted tunnel, safe from prying eyes and encrypted all the while.

It won’t save you from server misconfigurations, but it will make you less vulnerable while online.

Fact is, not only in Silicon Valley but across the continents, 2020 seems like a challenging time to be alive. Provided we survive the climate change, nuclear race and everything else in between, technology can either save or endanger us, leading to simplification, complication or both. And maybe, this is just the way things should go. In order to simplify, we must first face all possible complications, readjust, re-adapt and ultimately learn. In the meantime, reminding ourselves that trouble doesn’t operate on the Gregorian calendar is probably the most accurate image we should keep in mind about 2020.

Post navigation


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>