Discovery and Corrections
The company pointed out the fault to be a misconfiguration of security rules occurred while changing the database’s network security group on December 5, 2019. This was found by a security researcher Bob Diachenko and soon reported to Microsoft. He was surprised and even appreciated Microsoft’s immediate response for correcting it even on New Year’s eve. Microsoft later assured that there’s no personal or sensitive information of any of its customers or commercial cloud services were exposed and found no malicious use of it anywhere yet.
Automatically Redacted
The exposed five servers, which are having the same data as each other contained around 250 million entries of information like email addresses, IP addresses, and support case details of anonymized customers due to redaction. As Microsoft said, Yet, it didn’t confirm that all the records were free to form containing personal information. As data that is stored in non-standard format (due to spaces and other specifics) may have been unredacted. At last, it apologized for the incident and said notifying customers who’re in the redacted database. And to prevent such incidents in future, it outlined few measures as;
Auditing the established network security rules for internal resources. Expanding the scope of the mechanisms that detect security rule misconfigurations. Adding additional alerting to service teams when security rule misconfigurations are detected. Implementing additional redaction automation.