Microsoft disclosed a database error that left 250 million customer call centre records accessible to anyone with a web browser.
Bob Diachenko spotted the database a day after five Elasticsearch servers we’re indexed by the BinaryEdge search engine on December 28.
“I immediately reported this to Microsoft, and within 24 hours, all servers were secured,” Diachenko said
What data was published?
The records included phone conversations between service agents and customers spanning from 2005.
Five identical Elasticsearch databases contained 250 million entries, with information such as email addresses, IP addresses and support case details.
All five servers stored the same data.
It did, give one example of data that would have been left behind: email addresses with spaces added by mistake we’re not recognised as personal data and therefore escaped anonymisation.
The elasticsearch servers contained records dating back from 2005 to 2019.
Microsoft said most of the records did not contain any personal user information.
“As part of Microsoft’s standard operating procedures, data stored in the support case Analytics database is redacted using automated tools to remove personal information,” said Microsoft.
Following the leak, actions are taken to prevent this kind of issues in the future, which includes:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security role misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
If ever you receive a security alert email, avoid clicking on any links, calling any numbers or taking any online actions demanded in the email if you think the email is valid or not. To be on the safer side, always find your own way to site where you would usually log in, and stay away from phishing emails.