What was Exposed
During this latest security breach, Microsoft CSS records spanning 14 years were exposed. The records included phone conversations between service agents and customers dating back to 2005. The internal database containing these records was held on a cluster of five Elasticsearch servers. An Elasticsearch cluster is a distributed full-text search engine used to analyze large volumes of data. All five servers contained the same information and appear to have been mirrors of each other. This internal database was being used for support case analytics. Mostly the records didn’t contain Personally Identifiable Information (PII) as it is Microsoft’s standard practice to redact PII from analytics databases. However, some PII data remained in the records where customers had provided it in a non-standard format. For instance, email addresses separated with spaces instead of being written in a standard format. Thus, although most PII was redacted from the records, many still contained customer email and IP addresses, which were exposed. The records also contained support agent emails, internal notes and descriptions of CSS cases.
Microsoft’s Investigation of the Security Breach
Microsoft’s investigation into the breach revealed that the issue was caused by a change in the database’s network security group. The change made on 5 December contained misconfigured security rules that caused the data within the database to be exposed. Microsoft also stated that their investigation indicated that the exposed data had not been put to malicious use. Nonetheless, Microsoft intends to contact all customers who had PII data on the redacted database. Furthermore, the investigation determined that the issue was specific to the internal database used for support case analytics. It did not affect Microsoft’s commercial cloud services.
Security Breach Timeline
The Elasticsearch servers were left online, password-free and unprotected, from the 5th to the 31st of December 2019. The breach remained undetected until the 28th of December, when the servers were indexed by the BinaryEdge search engine. A day later, the unsecured databases were discovered by an independent cyber security consultant, Bob Diachenko, who immediately informed Microsoft. Microsoft acted swiftly and the databases were re-secured by the 31st December. Diachenko praised Microsoft’s response in a tweet saying: “Kudos to MS Security Response team – I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”
Other Such Security Breaches
In the wake of this latest breach, Microsoft is looking at implementing new strategies to ensure this doesn’t happen again. These include auditing the internal network security rules currently in place and implementing additional redaction automation. Microsoft also intends to put in place additional alerts to notify service teams when security rule misconfigurations are detected. However, Microsoft’s breach is just the latest in a string of such security breaches by companies that have exposed sensitive consumer data through Elasticsearch server misconfigurations. Other companies that have had similar breaches include Wyze and Honda. One of the largest breaches, which exposed over one billion records in November last year, also involved Elasticsearch servers.
Phishing Scams Warning
Although the Microsoft records were left exposed for only a short period of time, it is not known if they have fallen into the hands of cybercriminals. Therefore, security experts are warning customers to be wary of Microsoft or Windows phishing scams conducted either via email or phone. The data contained in the exposed records could be especially valuable to technical support scammers. Such scammers impersonate call center representatives from companies such as Microsoft to install malware on victims’ computers and steal their financial information. With real case numbers and information in hand, scammers would have a better chance in convincing their victims they are Microsoft employees. That is why security experts are warning users to be extra vigilant for phishing scams in the coming months. Furthermore, Microsoft users should keep in mind that Microsoft never proactively reaches out to users to solve their technical problems. Nor would Microsoft ever ask for passwords or request that users install remote desktop applications like TeamViewer. These are all tactics commonly used by technical support scammers.