Lessons from Microsoft’s 250 million data record exposure
Microsoft has one of the best security teams and capabilities of any organization in the technology industry, yet it accidentally exposed 250 million customer records in December 2019. The data was accessible to anyone with a browser, who knew the server location, for about a month in total before an external researcher detected the problem.
The database held records of customer support engagements dating back to 2005. Once alerted, Microsoft quickly closed the hole, investigated the breach, communicated to customers, and graciously thanked the security researchers.
Yes, it is terrible that sensitive data for over two-hundred million people were exposed, but how an organization responds to an exposure reveals its true nature and commitment to security, privacy, and safety.
As a former cyber incident commander for a major technology corporation, I can see a number of important lessons to be learned through this snapshot engagement:
1. No matter how much you spend, what technology you use, or how skilled your operators, accidents and breaches will still happen. Nevertheless, the likely rate and impact is relative to those aspects, so it is far better to maintain a strong security posture.
2. The ability to be rapidly notified by third parties and spin-up a crisis team showcases your pragmatic insight to sustainable security.
3. A commitment to openly recognize the issue and address it quickly proves the trustworthiness of the organization.
4. Properly investigating to understand the potential impact and quickly communicating to affected parties determines the level of commitment to professional ethics.
5. Giving credit to those who found the problem in your systems, that affected your customers, is simply a class act that will pay-forward with other security researchers in the future, and shows long-term commitment to being a responsible part of the global digital ecosystem.
Overall, I think Microsoft did an excellent job in responding to this data exposure event and it reinforces its current reputation as one of the best security teams in existence. There are also a number of changes that need to be implemented to improve prevention capabilities so this does not happen again in other areas. I fully expect the crisis team to have already prepared several process improvements, oversight requirements, and access controls validations to be instituted.
Learning from incidents is incredibly valuable to reducing future events, if the lessons are embraced, implemented, and sustained. With a well-supported and capable cyber crisis team, companies can continually improve their security posture, rapidly address issues, and showcase a professional response to bolster customer trust, even when unforeseen events occur.