Misconfiguration Allows Access to Microsoft Support Database

On last week of 2019, Microsoft found a change made to the database’s network security group leads to misconfigured security rules that enabled exposure of an internal customer support database used for Microsoft support case analytics.

Although Microsoft ensure that the exposed data didn't contain any personal identifiable information and neither it was used for malicious purpose.

Microsoft got the notification of misconfiguration on December 5, 2019 and upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. 

Microsoft says- 
We are committed to the privacy and security of our customers and are taking action to prevent future occurrences of this issue. These actions include:
  • Auditing the established network security rules for internal resources. 
  • Expanding the scope of the mechanisms that detect security rule misconfigurations.  
  • Adding additional alerting to service teams when security rule misconfigurations are detected. 
  • Implementing additional redaction automation.  
Microsoft apologize for the issue cause, and reassure to take this matter seriously on priority basis, and also use best security measures to prevent such kind of issues in future.

No comments for "Misconfiguration Allows Access to Microsoft Support Database "