At the end of December 2019, a security researcher discovered a publicly accessible Microsoft customer support database that contained 250 million entries accumulated over 14 years. The database included support cases and details, emails and IP addresses of customers, customers’ geographical locations, and notes made by Microsoft support agents.
The database was publicly accessible for about a month. Microsoft secured it the same day the breach was reported.
What were the consequences?
Since the leaked data didn’t contain personally identifiable information and the company urgently sealed the breach and notified affected users, Microsoft suffered no fines or penalties.
However, Microsoft got lucky that the insider-caused data breach was discovered at the end of 2019. Several days later, on January 3, 2020, the California Consumer Privacy Act took effect. This law imposes a $750 fine for each individual harmed by a breach. Under the new legislation, Microsoft could have been fined millions of dollars.
Why did it happen?
At the beginning of December 2019, Microsoft deployed a new version of Azure security rules. Microsoft employees misconfigured those rules and caused the accidental leak. Access to the database wasn’t protected with a password or two-factor authentication. Also, the company could have reduced the detection time significantly by monitoring user records and reviewing activity with sensitive assets.
So who is effected. The customers, organisation, employees. Who else would be effected.