Lessons from the Cloud Misconfiguration Exposing 250 Million of Microsoft Customer Records

Microsoft recently admitted that its internal customer support database was inadvertently exposed to the public as a result of a misconfiguration of the security rules of Azure – the company’s own cloud service.

According to Microsoft, a change or the misconfiguration of the security rules of Azure, which led to the public exposure of the company’s internal customer support database, was made on December 5, 2019. Microsoft said this misconfiguration was corrected on December 31, 2019.

The company said that the vast majority of the exposed records were cleared of personal information as the company redacts personal information using automated tools. The company, however, said that some of the exposed records weren’t redacted, such as an email address separated with spaces instead of written in a standard format, for example, “XYZ @contoso com” vs “XYZ@contoso.com”. 

Security Discovery’s Cyber Threat Intelligence Director Bob Diachenko, the researcher who reported the exposed data to Microsoft, in a report published in collaboration with Comparitech said that he discovered the exposed Microsoft data on December 29, 2019 and immediately notified Microsoft. According to Diachenko, he uncovered the exposed internal customer support data of Microsoft on five Elasticsearch servers, each containing an identical set of 250 million records, signifying that the servers are mirrors of each other.

Diachenko said that the exposed data contained logs of conversations between Microsoft support agents and customers from different parts of the world, covering a 14-year period, from 2005 to 2019. Diachenko added that while personally identifiable records such as email aliases, contract numbers and payment information were redacted, many records contained plain text data, including customer email addresses, IP addresses, locations, Microsoft support agent emails, case numbers, resolutions and internal notes marked as “confidential”.

Elasticsearch on Azure

Elasticsearch is an open-source search engine and database used by developers in building cloud-based systems. When configured correctly, Elasticsearch enables the rapid querying of large volumes of data. In the article “Guidance for running Elasticsearch on Azure“, Masashi Narumoto Senior Program Manager, AzureCAT Patterns & Practices said that it’s “reasonably straightforward to build and deploy an Elasticsearch cluster to Azure.”

In the recent disclosure regarding the misconfigured Elasticsearch on Azure, Microsoft said that internal investigation found that “a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data.”

The “network security group” on Microsoft’s Azure allows users to filter network traffic to and from Azure resources. Azure’s network security group consists of security rules that allow or deny inbound network traffic to or outbound network traffic from several types of Azure resources. For each security rule, users can specify source and destination, port and protocol.

By misconfiguring the security rules of Azure’s network security group, Microsoft inadvertently exposed the company’s internal customer support database to the public. According to Diachenko, the exposed database was indexed by search engine BinaryEdge on December 28, 2019 and on December 29, 2019, he found Microsoft’s internal customer support database accessible to anyone with a web browser, with no password or other authentication needed.

Diachenko and Comparitech said that they don’t know if any other unauthorized parties accessed the database since the database was indexed by search engine BinaryEdge on December 28, 2019 and up to the time that Microsoft corrected the problem. 

Microsoft, meanwhile, clarified that this misconfiguration is specific to the company’s internal customer support database and doesn’t affect Azure, the company’s cloud service. “This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services,” Microsoft said.

Microsoft added that while it has available solutions to prevent cloud misconfigurations, these solutions weren’t enabled in the exposed database.

Lessons Learned

The cloud misconfiguration at Microsoft’s very own cloud account isn’t an isolated case. As many organizations have moved their digital business operations into the cloud, misconfigurations have also become a common occurrence. Aside from discovering Microsoft’s exposed database, Diachenko and Comparitech also discovered exposed data as a result of misconfiguration on organizations such as MedicareSupplement, CenturyLink and Choice Hotels.

The recent Azure misconfiguration exposing 250 million of Microsoft customer records demonstrates that cloud misconfigurations affect organizations of all sizes. Microsoft’s cloud misconfiguration showed that even large organizations with a large number of security teams and tools at hand aren’t immune to cloud misconfigurations. With less or even an absence of a cybersecurity team and a lack of tools to prevent misconfigurations, cloud misconfigurations are a threat to small organizations.

While Cloud Service Providers (CSPs) such as Microsoft for Azure and Amazon for Amazon Web Services (AWS) are responsible for detecting threats that underlie their cloud platforms, customers still shoulder the responsibility of detecting threats to their own cloud resources.

Microsoft, for its part, said that it will implement the following measures in order to prevent another misconfiguration incident:

• Auditing the established network security rules for internal resources. 
• Expanding the scope of the mechanisms that detect security rule misconfigurations.
• Adding additional alerting to service teams when security rule misconfigurations are detected. 
• Implementing additional redaction automation.

“As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available,” Microsoft said. 

Many organizations fall victim because their internal staff is not trained and does not have the required skills to securely configure and migrate the information to the Cloud.

Call our trained and certified experts today at (416) 920-3000 or email sales@genx.ca for a quick assessment of your Cloud infrastructure. If you are vulnerable, we will help you mitigate the risks fast.