Cybersecurity vendor SOCRadar recently notified Microsoft of a major data breach, claiming that more than 2.4 terabytes of sensitive customer data were compromised and 65,000 companies were affected, according to foreign media reports. Microsoft has acknowledged the incident but argued that SOCRadar “exaggerated the scope and severity of the breach.
SOCRadar said that on September 24, 2022, the company’s built-in cloud security module detected a misconfiguration of Azure Blob storage maintained by Microsoft that contained sensitive data from a well-known cloud provider. Analysis revealed that the compromised data included proof-of-execution (PoE) and statement of work (SOW) documents, user information, product orders/quotes, project details, personally identifiable information (PII) data, and documents that may have compromised intellectual property.
SOCRadar disclosed that the above issues resulted in the compromise of a significant amount of data from 65,000 affected companies, including names, email addresses, email content, company names and phone numbers, and business documents with affected customers and Microsoft or Microsoft-authorized partners. Some of these documents were dated between 2017 and August 2022, a span of five years. These companies are based in 111 countries and territories.
SOCRadar used a dedicated data breach search portal, BlueBleed, to conduct the search, which allowed companies to confirm whether their sensitive information was exposed to the compromised data. 2.4 terabytes of data containing sensitive information was found on Microsoft’s servers alone, SOCRadar claimed, and in analyzing the compromised files, it found more than 335,000 emails, 133,000 items and 548,000 usernames.
SOCRadar warned that “criminals may use the information in different forms to blackmail, create social engineering tactics with the help of exposed information, or simply sell the information to the highest bidder on the dark web and telegraph channels.”
Microsoft responded on Thursday, saying that SOCRadar “exaggerated the scope and severity of the breach. Because much of the exposed data included “duplicate information, multiple references to the same emails, projects and users. In addition, Microsoft said the problem was caused by an unintentional misconfiguration on an endpoint that was not used across the Microsoft ecosystem and was not part of a security breach.
Microsoft’s post lacks key details, such as a more detailed description of the compromised data or how many current or potential customers Microsoft believes were affected. In addition, the post accuses SOCRadar of using numbers that Microsoft believes are inaccurate. When an affected customer contacted Microsoft to ask if data from his company had been compromised, Microsoft responded, “We are unable to provide data on the specific impact.”
In addition, Microsoft condemned SOCRadar for collecting data and using a dedicated search portal to conduct searches, saying it was “not in the best interest of ensuring customers’ privacy or security and could expose them to unnecessary risk.” The company’s support team also told customers that it would not notify the data regulator of the incident.
Critics have also criticized the way Microsoft directly notified affected customers. The company contacted the affected entities through Message Center, an internal messaging system Microsoft uses to communicate with administrators, and not all administrators have access to this tool, making it likely that certain notifications would not be seen.
Kevin Beaumont, an independent researcher, tweeted, “Microsoft can’t refuse to tell customers that data was stolen and apparently didn’t notify regulators, a response plan that clearly has major flaws.”
In addition to criticism of the way Microsoft disclosed the breach, the incident raises questions about Microsoft’s data retention policies. Often, data from years ago is of greater use to potential criminals than to the companies that hold it. In such cases, the best approach is usually to destroy the data on a regular basis.
