Microsoft has confirmed that a misconfigured endpoint unintentionally leaked small business and individually identifiable information (PII) for some customers.
The tech giant mentioned it was knowledgeable about the incident by danger intelligence organization SOCRadar on September 24, and secured the endpoint quickly soon after with authentication.
“This misconfiguration resulted in the prospective for unauthenticated obtain to some enterprise transaction data corresponding to interactions in between Microsoft and future prospects, these types of as the arranging or potential implementation and provisioning of Microsoft expert services,” it stated.
“The company transaction data incorporated names, email addresses, email written content, business name and phone quantities, and might have integrated hooked up documents relating to company in between a client and Microsoft or an licensed Microsoft lover.”
SOCRadar claimed in its have website write-up yesterday that as lots of as 65,000 “entities” throughout 111 countries throughout the world had been impacted by the leak. It noted that the incident stemmed from a misconfigured Azure Blob Storage bucket.
The business acknowledged that Microsoft fixed the misconfiguration within just several hours.
Nevertheless, the Redmond giant claimed SOCRadar “greatly exaggerated” the sizing of the leak and took other steps not conducive to maximizing shopper security.
“Our in-depth investigation and analysis of the facts established exhibits copy information, with numerous references to the exact same email messages, jobs, and customers. We acquire this issue pretty seriously and are unhappy that SOCRadar exaggerated the figures concerned in this issue even immediately after we highlighted their mistake,” it reported.
“More importantly, we are let down that SOCRadar has selected to launch publicly a ‘search tool’ that is not in the most effective fascination of guaranteeing customer privateness or security and perhaps exposing them to pointless risk.”
It mentioned all impacted prospects have been notified by the firm.
Some parts of this article are sourced from:
www.infosecurity-journal.com