By Sherri Davidoff   /   Jan 29th, 2020

3 Things We Can All Learn from Microsoft’s Cloud Data Breach

Even Microsoft misconfigures Azure.  What does that mean for the rest of us?

After Microsoft announced a cloud data breach that resulted in the accidental exposure of 250 million customer support records last week, cloud misconfiguration issues once again burst into the cybersecurity spotlight. On the bright side, Microsoft launched a model response, illustrating how a quick and effective reaction can preserve the public’s trust and prevent a media disaster following a cloud data breach announcement.

Discover the three big takeaways from Microsoft’s cloud data breach, as well as how you can protect your organization.

1. Protect Against Cloud Misconfiguration

According to Microsoft’s disclosure, a change was made to their security rules on December 5 that accidentally allowed unauthorized access to a database containing 14 years of customer support information. While most (but not all) of the personal customer information was redacted, criminal gangs can leverage this data to conduct targeted tech support scams against Microsoft customers. These scams are already a widespread problem, and the exposed data could help criminals craft even more effective attacks.

“Misconfigurations are unfortunately a common error across the industry,” wrote Microsoft in their disclosure.  From CapitalOne’s infamous Amazon cloud data breach to Facebook’s leak of more than 540 million records to the exposure of 1.2 billion social media profiles in Google Cloud, misconfiguration errors have caused countless headlines. What’s more, they’re on the rise: information disclosure incidents caused by misconfiguration increased by 21% compared with other types of errors, according to the most recent Verizon Data Breach Investigations Report.

Although Microsoft has features that can help identify and protect against misconfiguration errors, they were reportedly “not enabled for this database.” This gets to the crux of many cloud data breaches: while cloud providers do offer many security features, they are often not enabled by default. Instead, customers need to manually enable them. For example, when you create a new service in Azure, it is accessible to the entire Internet by default. Administrators often do not realize this, or intend to lock down permissions later, and then forget. “Often… servers are brought online in haste and configured to be open to the public, while storing non-public data,” wrote Verizon.

Security features can also be complex and challenging to properly employ (such as the upgrades to Amazon’s metadata service which they rolled out after the CapitalOne data breach). Compounding this problem, McAfee has reported that “40% of IT leaders are slowing cloud adoption due to a shortage of cybersecurity skills.”

To combat the rising threat of cloud data breaches, organizations need a strategy to proactively prevent and detect cloud misconfigurations. Here are some tips:

  • Audit your cloud configuration – Routine cloud configuration reviews are now an essential part of a strong security program.
  • Implement misconfiguration detection and alerting tools – Microsoft themselves made a commitment to expanding detection and “adding additional alerting to service teams when… misconfigurations are detected.” Take advantage of SecureScore and other tools offered by your cloud provider or third parties.
  • Leverage defense-in-depth – Make sure you have multiple layers of security in place, so that if a database is accidentally made accessible to the Internet, the data within it is still protected by strong authentication and encryption.
  • Train IT administrators in specific cloud technologies. Popular cloud providers such as Amazon and Microsoft offer online training and certification classes which are convenient and practical. Encourage your IT team to take advantage of these training opportunities regularly.

2. Have a Cloud Data Breach Response and Disclosure Plan

Microsoft’s team was commended for their effective response — and rightfully so. Researcher Bob Diachenko reported the issue on December 31, and Microsoft quickly reacted and secured the data. “I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve,” wrote Diachenko.

Organizations around the world can learn from Microsoft’s model response to this breach. “Coordinated disclosure” — in which vulnerable companies work constructively with researchers to publish issues — has become a hot topic. Instead of stonewalling or sanctioning researchers that report issues, today the best practice is for organizations to respond quickly to researchers and collaborate on the investigation and public disclosure. In this way, vulnerable or breached organizations can maintain some control over the disclosure process, and help minimize damage both for the organization and any individuals affected.

Microsoft also did an excellent job crafting their disclosure notice. In my “Data Breaches” book, we discuss the importance of preserving the 3 C’s of Trust: Competence, Character and Caring. Microsoft did just that in their announcement, transparently sharing details of the data exposure, and accepting responsibility. “We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence,” they wrote, before thanking the researcher who reported the issue.

Here are elements of Microsoft’s data breach response that all organizations can benefit from:

  • Quick response – Don’t wait to respond to reports of a potential cloud data breach. React quickly to investigate, communicate and address any issues.
  • Coordinated disclosure – Work collaboratively with researchers who report issues to investigate and publish them, in order to maintain control and minimize damage.
  • Effective notification – Craft a notification that preserves trust by illustrating your competence, character and caring (3 C’s).
  • Take responsibility and apologize clearlyAn effective apology works wonders for diffusing public anger and can dramatically reduce reputational damage.

3. Reduce and Redact Your Sensitive Data

Redaction can save you from a cloud data breach—but only if you do it right. In Microsoft’s case, their collection of 250,000 customer service records had been redacted using an automated program, but unfortunately it didn’t remove 100% of personally identifiable information. “In some scenarios, the data may have remained unredacted if it met specific conditions,” explained Microsoft. “An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, ‘XYZ @contoso com’ vs ‘[email protected]’).”

As a result of the incomplete redaction, Microsoft had to notify all customers that had personally identifiable information remaining in the database. This issue is all-too-common: data entry errors occur frequently, resulting in variations of the standard format within databases. As a result, simple redaction techniques can miss sensitive information that is formatted in unusual or different ways. Had Microsoft implemented more sophisticated redaction techniques and fully removed sensitive information before the database was exposed, they may not have needed to notify customers (or the public) at all.

Most importantly, consider whether you need to store certain data at all, especially in the cloud. Microsoft’s exposed database included customer service records dating back to 2005. While some organizations may benefit from retaining data for long periods of time, carefully evaluate whether the potential benefits are worth the risks. Data is a hazardous material, and reducing your volume of data stored in the cloud will directly reduce your risk of a cloud data breach.

  • Redact Data Effectively – Use sophisticated, modern tools to fully redact sensitive information from databases whenever possible.
  • Routinely Check Your Data – Conduct manual audits and spot-checks to verify that your redaction program was successful.
  • Reduce Your Data – Do you really need to store sensitive data for years or decades? Carefully consider whether you can reduce the volume of sensitive data stored on your cloud systems. The more data you delete, the lower your risk of a cloud data breach.

There’s a lot we can all learn from Microsoft’s cloud data breach. Make sure to protect against cloud misconfiguration, implement an effective cloud data breach response program, and redact your sensitive data. LMG Security’s team specializes in cloud configuration reviews, risk assessments and data breach response program development—contact us if you need expert assistance. For more tips on proctively preventing a cloud data breach, read: Stopping Cloud Storage Breaches in Their Tracks.

About the Author

Sherri Davidoff

Sherri Davidoff is the CEO of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity. As a recognized expert in cybersecurity, she has been called a “security badass” by the New York Times. Sherri is a regular instructor at the renowned Black Hat trainings and a faculty member at the Pacific Coast Banking School. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), and has been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien.” Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and received her degree in Computer Science and Electrical Engineering from MIT.