Below, youll find a full timeline of Microsoft data breaches and security incidents, starting with the most recent. Search can be done via metadata (company name, domain name, and email). The company also stated that it has directed contacted customers that were affected by the breach. A security lapse left an Azure endpoint available for unauthenticated access in the incident, termed "BlueBleed." While the exact number isnt clear, the issue potentially impacted over 30,000 U.S. companies, and as many as 60,000 companies worldwide. However, News Corp uncovered evidence that emails were stolen from its journalists. This misconfiguration resulted in unauthenticated access to some business transaction data, it says. Once within the system, attackers could also view, alter, or remove data, create new user accounts, and more. In Microsoft's server alone, SOCRadar claims to have found2.4 TB of data containing sensitive information, withmore than 335,000 emails, 133,000 projects, and 548,000 exposed users discovered while analyzing the leaked files until now. SOCRadar executives stated that the company does not keep any of the data it comes across and has since deleted any data that its tool may have accessed. Scans for data will pick up those surprise storage locations. It's also important to know that many of these crimes can occur years after a breach. The exposed data includes, for example, emails from US .gov, talking about O365 projects, money etc - I found this not via SOCRadar, it's cached. Considering the potentially costly consequences, how do you protect sensitive data? SOCRadar'sdata leak search portal is namedBlueBleed and it allowscompaniesto find if their sensitive info wasalso exposed with the leaked data. Microsoft also took issue with SOCRadar's use of the BlueBleed tool to crawl through servers to figure out what information, if any, may have been exposed as a result of security flaws or breaches. Read the executive summary Read the report Insights every organization needs to defend themselves Our technologies connect billions of customers around the world. They were researching the system and discovered various vulnerabilities relating to Cosmos DB, the Azure database service. "On September 24, 2022, SOCRadar's built-in Cloud Security Module detected a misconfigured Azure Blob Storage maintained by Microsoft containing sensitive data from a high-profile cloud provider," SOCRadarsaid. As mentioned earlier, data discovery requires locating all the places where your sensitive data is stored. Chuong's passion for gadgets began with the humble PDA. Microsoft stated that a very small number of customers were impacted by the issue. For their part, Lapsus$ has repeatedly stated that their motivations are purely financial: Remember: The only goal is money, our reasons are not political. They appear to exploit insider threats, and recently posted a notice asking tech workers to compromise their employers. The research firm insists that it has not overstepped any privacy protocols in its work and none of the information it uncovered was saved on its end. The cost of a data breach in 2022 was $4.35M - a 12.7% increase compared to 2020, when the cost was $3.86M. This email address is currently on file. "This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," the companyrevealed. Windows Central is part of Future US Inc, an international media group and leading digital publisher. The fallout from not addressing these challenges can be serious. However, it wasnt clear if the data was subsequently captured by potential attackers. Thank you for signing up to Windows Central. on August 12, 2022, 11:53 AM PDT. Hacker group LAPSUS$ - branded DEV-0537 in Microsoft's blog post . Upgrade your lifestyleDigital Trends helps readers keep tabs on the fast-paced world of tech with all the latest news, fun product reviews, insightful editorials, and one-of-a-kind sneak peeks. Sometimes, organizations collect personal data to provide better services or other business value. As the specialist looked for more details regarding what was happening, more hacking activity was uncovered. History has shown that when it comes to ransomware, organizations cannot let their guards down. Trainable classifiers identify sensitive data using data examples. While some of the data that may have been accessed seem trivial, if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers, Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. Redmond added that the leak was caused by the "unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem" and not due to a security vulnerability. Learn four must-haves for multicloud data protection, including how an integrated solution provides greater scalability and protection across your multicloud and hybrid environment. The screenshot posted to their Telegram channel showed that Bing, Cortana, and other projects had been compromised in the attack. Retardistan is by far the largest provider of tools to keep our youth memerised, so take a break sit back and think about what would be good for our communities and not just for your hip pocket. These buckets, which the firm has dubbed BlueBleed, included a misconfigured Azure Blob Storage instance allegedly containing information on more than 65,000 entities in 111 countries. He was imprisoned from April 2014 until July 2015. "Our investigation found no indication customer accounts or systems were compromised. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users, Microsoft pointed out. 2021. The victim was reportedly one of only four employees at the company that had access to a shared folder that provided the keys to customer vaults. "We've confirmed that the endpoint has been secured as of Saturday, September 24, 2022, and it is now only accessible with required authentication," Microsoft said. In 2021, the number of data breaches climbed 68 percent to 1,862 (the highest in 17 years) with an average cost of USD4.24 million each.1 About 45 million people were impacted by healthcare data breaches alonetriple the number impacted just three years earlier.2. This blog describes how the rule is an opportunity for the IT security team to provide value to the company. 85. The screenshot was taken within Azure DevOps, a collaboration software created by Microsoft, and indicated that Bing, Cortana, and other projects had been compromised in the breach. 43. Why does Tor exist? You happily take our funds for your services you provide ( I would call them products, but products generally dont breakdown and require updates to keep them working), but hey I am no tech guru. Average Total Data Breach Cost Increase By 2.6%. The Allianz Risk Barometer is an annual report that identifies the top risks for companies over the next 12 months. Microsoft Data Breach. One thing is clear, the threat isn't going away. No data was downloaded. April 2022: Kaiser Permanente. Whether the first six months of 2022 have felt interminable or fleetingor bothmassive hacks, data breaches, digital scams, and ransomware attacks continued apace throughout the first half of . (Matt Wilson), While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular. The data protection authorities have issued a total of $1.25 billion in fines over breaches of the GDPR since January 28, 2021.5. Microsoft servers have been subject to a breach that might have affected over 65,000 entities across 111 countries, according to the security research firm, SOCRadar. For instance, you may collect personal data from customers who want to learn more about your services. Microsoft has confirmed that it inadvertently exposed information related to prospective customers, but claims that the company which reported the incident has exaggerated the numbers. Data discovery, data classification, and data protection strategies can help you find and better protect your companys sensitive data. Learn how Rabobank, Fannie Mae, and Ernst & Young maximized their existing Microsoft 365 subscriptions to gain integrated data loss prevention and information protection. March 16, 2022. On March 20, 2022, the hacker group Lapsus$ posted a screenshot to their Telegram channel indicating that they had breached Microsoft. 2Cyberattacks Against Health Plans, Business Associates Increase, Jill McKeon, HealthITSecurity xtelligent Healthcare Media. Due to persistent pressure from Microsoft, we even have to take down our query page today, he added. 'Xbox will exist' if Activision Blizzard deal falls through, says Microsoft's Phil Spencer, A London musician recorded with Muse and Phil Collins, now he's co-producing with ChatGPT, Windows Central Podcast #301: Windows 11, Xbox, Bing. Instead of finding these breaches out by landing on a page by accident or not, is quite concerning Some solution providers divorce productivity and compliance and try to merely bolt-on data protection. In this climate of data gathering and privacy concerns, the Tor browser has become the subject of discussion and notoriety. It all began in August 2022, when LastPass revealed that a threat actor had stolen the apps source code. Almost 2,000 data breaches reported for the first half of 2022. by Lance Whitney in Security. [ Read: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment ]. The hacker gained access to the personal data through an employee's email that contained sensitive information including patient names, medical information, and test results. In August 2021, word of a significant data leak emerged. Hey Sergiu, do you have a CVE for this so I can read further on the exposure? Microsoft did not say how many potential customers were exposed by the misconfiguration, but in a separate post, SOCRadar, which describes the exposure as BlueBleed, puts the figure at more than 65,000. January 17, 2022. In 2020, Equifax was made to pay further settlements relating to the breach: $7.75 million (plus $2 million in legal fees) to financial institutions in the US plus $18.2 million and $19.5 million . Sarah Tew/CNET. The company has also been making a bigger push and investment in cybersecurity with its new Microsoft Security Experts program and integrating security intelligence into its Windows Defender tool. The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. Along with accessing computer networks without authorization, the group used stolen credentials to get into a secured building and acquired development kits. If there's a cyberattack, hack, or data breach you should know about, then we're on it. However, with the sheer volume of hacks, its likely that multiple groups took advantage of the vulnerability. For data classification, we advise enforcing a plan through technology rather than relying on users. He graduated from the University of Virginia with a degree in English and History. This is much easier with support for sensitive data types that can identify data using built-in or custom regular expressions or functions. Data leakage protection is a fast-emerging need in the industry. This will make it easier to manage sensitive data in ways to protect it from theft or loss. Not really. Update October 20,08:15 EDT: Added SOCRadar statement and info on a notificationpushed by Microsoft through the M365 admin center on October 4th. (Torsten George), The conventional tools we rely on to defend corporate networks are creating gaps in network visibility and in our capabilities to secure them. Can somebody tell me how much BlueBleed (socradar.io) is trustworthy? You can think of it like a B2B version of haveIbeenpwned. Microsoft disputed SOCRadar's claims and fired back at the researchers stating that their estimations are over-exaggerated. The company believes such tools should include a verification system to ensure that a user can only look for data pertaining to them, and not to other users. Microsoft released guidance on how to fully merge the Microsoft and Skype account data, giving users a solution. Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding. The hacker was charging the equivalent of less than $1 for the full trove of information. The most recent Microsoft breach occurred in October 2022, when data on over 548,000 users was found on an misconfigured server. How do organizations identify sensitive data at scale and prevent accidental exposure of that data? Loading. 1. Microsoft has confirmed one of its own misconfigured cloud systems led to customer information being exposed to the internet, though it disputes the extent of the leak. For the 2022 report, Allianz gathered insights from 2,650 risk management experts from 89 countries and territories. Overall, at least 47 companies unknowingly made stores data publicly accessible, exposing at least 38 million records. 229 SHARES FacebookRedditLinkedinTelegramWhatsappTweet Me Breaches of sensitive data are extremely costly for organizations when you tally data loss, stock price impact, and mandated fines from violations of General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or other regulations. Microsoft. According to the newest breach statistics from the Identity Theft Research Center, the number of victims . And you dont want to delete data too quickly and put your organization at risk of regulatory violations. Microsoft said the scale of the data breach has been 'greatly exaggerated', while SOCRadar claims around 65,000 companies were impacted. Data leakage protection tools can protect sensitive documents, which is important because laws and regulations make companies accountable. Organizations can face big financial or legal consequences from violating laws or requirements. "We are highly disappointed about MSRCs comments and accusations after all the cooperation and support provided by us that absolutely prevented the global cyber disaster." However, an external security research firm who reported the issue to Microsoft, confirmed that they had accessed the data as a part of their research and investigation into the issue.". While its known that the records were publicly accessible, it isnt clear whether the data was actually accessed by cybercriminals. Additionally, we found that no customer accounts and systems were compromised due to unrestricted access. Microsoft is investigating claims that an extortion-focused hacking group that previously compromised massive companies such as Ubisoft and Nvidia has gained access to internal . Numerous government agencies including the Department of Defense, Department of Homeland Security, Department of Justice, and Federal Aviation Administration, among others were impacted by the attack. Teh cloud is nothing more than a tool, not the be all end all digital savior that it's marketed as and that many believe it to be. While the internet has dramatically expanded the ability to share knowledge, it has also made issues of privacy more complicated. Based in the San Francisco Bay Area, when not working, he likes exploring the diverse and eclectic food scene, taking short jaunts to wine country, soaking in the sun along California's coast, consuming news, and finding new hiking trails. In March 2022, the group posted a torrent file online containing partial source code from . The database contained records collected dating back as far as 2005 and as recently as December 2019. The company secured the server after being. The leaked data does not belong to us, so we keep no data at all. Additionally, several state governments and an array of private companies were also harmed. Microsoft uses the following classifications: Identifying data at scale is a major challenge, as is enforcing a process so employees manually mark documents as sensitive. Microsoft also disputed some key details of SOCRadars findings: After reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Microsoft acknowledged the data leak in a blog post. Computing giant Microsoft is no stranger to cyberattacks, and on March 20th 2022 the firm was targeted by a hacking collective called Lapsus$. The most recent Microsoft breach occurred in October 2022, when data on over 548,000 users was found on an misconfigured server. Copyright 2023 Wired Business Media. It's Friday, October 21st, 2022. 2 Risk-based access policies, Microsoft Learn. SOCRadar said the exposed data belonged to Microsoft and it totaled 2.4 Tb of files collected between 2017 and August 2022. Microsoft has confirmed that the hacker group Lapsus$ breached its security system, after the digital extortion gang claimed credit earlier this week. Please try again later. Microsoft said today that some of its customers' sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet. After SCORadar flagged a Microsoft data breach at the end of October, the company confirmed that a server misconfiguration had caused 65,000+ companies' data to be leaked. While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular. 4 Work Trend Index 2022, Microsoft. Get the best of Windows Central in your inbox, every day! The only way to ensure that your sensitive data is stored properly is with a thorough data discovery process. Threat intelligence firm SOCRadar reported that a Microsoft customer data breach affected hundreds of thousands of users from thousands of entities worldwide. In December 2010, Microsoft announced that Business Productivity Online Suite (BPOS) a cloud service customers data was accessible to other users of the software. Microsoft confirmed the breach on March 22 but stated that no customer data had . Almost 70,000 patients had their personal data compromised in a recent breach of Kaiser Permanente. The Microsoft Security Response Center blog reports that researchers reported a misconfigured Microsoft endpoint on September 24. Microsoft is a leader in cybersecurity, and we embrace our responsibility to make the world a safer place. In others, it was data relating to COVID-19 testing, tracing, and vaccinations. Posted: Mar 23, 2022 5:36 am. Data Breaches. $1.12M Average savings of containing a data breach in 200 days or less Key cost factors Ransomware attacks grew and destructive attacks got costlier According to the security firm the leak, dubbed "BlueBleed I", covers data from 65,000 "entities" in 111 countries, from between 2017 and August 2022. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. Microsoft Digital Defense Report 2022 Illuminating the threat landscape and empowering a digital defense. The tech giant announced in June 2021 that it found malware designed to steal information on a customer support agents computer, potentially allowing the hackers to access basic account information on a limited number of customers. Of the files that were collected, SOCRadar's analysis revealed that these included proof of concept works, internal comments and sales strategies, customer asset documents, product orders, offers, and more. Duncan Riley. Many people are justifiably worried about their personal information being stolen or viewed, including bank records, credit card info, and browser or login history. Also, follow us at@MSFTSecurityfor the latest news and updates on cybersecurity. Besideswhat wasfound inside Microsoft's misconfigured server, BlueBleed also allows searching for data collected from five otherpublic storage buckets. Microsoft confirmed that a misconfigured system may have exposed customer data. The misconfiguration in this case happened on the part of the third-party companies, and was not directly caused by Microsoft. Lapsus$ Group's Extortion Rampage. According to Microsoft, the exposed information includes names, email addresses, email content, company name, and phone numbers, as well as files linked to business between affected customers and Microsoft or an authorized Microsoft partner. Even though Microsoft's investigation revealed that no customer accounts or systems were compromised, the SOCRadar security researchers who notified Microsoft of its misconfigured server were able to link information directly back to 65,000 entities across 111 countries in file data composed between 2017 and 20222, according to a report on Bleeping Computer. Lets look at four of the biggest challenges of sensitive data and strategies for protecting it. ", Furthermore, Redmond said that SOCRadar's decision to collect the data and make it searchable using a dedicated search portal "is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk. Shortening the time it takes to identify and contain a data breach to 200 days or less can save money. Bako Diagnostics' services cover more than 250 million individuals. The database wasnt properly password-protected for approximately one month (December 5, 2019, through December 31, 2019), making the details accessible to anyone with a web browser who managed to connect to the database. One of these fines was related to violating the GDPRs personal data processing requirements. See More . (Marc Solomon). This is simply something organizations that are hosting applications and data in any of the various cloud platforms need to understand, Kron added. Microsoft did publish Power Apps documentation describing how certain data could end up publicly accessible. Microsoft has criticised security firm SOCRadar for "exaggerating" the extent of the data leak and for making a search tool that allows organisations to see if their data was exposed. 6Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt, Ryan Browne, CNBC. The intrusion was only detected in September 2021 and included the exposure and potential theft of . Greetings! A representative for LinkedIn reported to Business Insider that this data was scraped from publicly available data on the platform. This miscongifuration resulted in the possibility of "unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers". For instance, an employee may have stored a customers SSN in an unprotected Microsoft 365 site or third-party cloud without your knowledge. Microsoft Corp. today revealed details of a server misconfiguration that may have compromised the data of some potential customers in September. Along with distributing malware, the attackers could impersonate users and access files. Microsoft, one of the world's largest technology companies, suffered a serious security breach in March 2022. ", According to aMicrosoft 365 Admin Centeralertregarding this data breach published on October 4, 2022, Microsoft is "unable to provide the specific affected data from this issue.". There was a problem. 5 The future of compliance and data governance is here: Introducing Microsoft Purview, Alym Rayani. The company revealed that information that may have been exposed as a result of the breach include names, email addresses, email content, company name, phone numbers, and other attached files, but Microsoft stopped short of revealing how many entities were impacted. In a year of global inflation and massive rises in energy costs, it should come as no surprise that the cost of a data breach has also reached . SOCRadar described it as "one of the most significant B2B leaks". A sophisticated attack on Microsoft Corp. 's widely used business email software is morphing into a global cybersecurity crisis, as hackers race to infect as many victims as possible before . At the same time, the feds have suggested Microsoft and Twitter need to pull their socks up and make their products much more secure for their users, according to CNBC. Due to persistent pressure from Microsoft, we even have to take down our query page today. Policies related to double checking configuration changes, or having them confirmed by another person, is not a bad idea when the outcome could lead to the exposure of sensitive data.. In April 2019, Microsoft announced that hackers had acquired a customer support agents credentials, giving them access to some webmail accounts including @outlook.com, @msn.com, and @hotmail.com accounts between January 1, 2019, and March 28, 2019. A hacking group known as the Xbox Underground repeatedly hacked Microsoft systems between 2011 and 2013. Common types of sensitive data include credit card numbers, personally identifiable information (PII) like a home address and date of birth, Social Security Numbers (SSNs), corporate intellectual property (IP) like product schematics, protected health information (PHI), and medical record information that could be used to identify an individual. The exposed information allegedly included over 335,000 emails, 133,000 projects, and 548,000 users. Microsoft solutions offer audit capability where data can be watched and monitored but doesnt have to be blocked. This presentation will provide an overview of the security risks associated with SaaS, best practices for mitigating these risks and protecting data, and discuss the importance of regularly reviewing and updating SaaS security practices to ensure ongoing protection of data. We must strive to be vigilant to ensure that we are doing all we can to . The total damage from the attack also isnt known. Data governance ensures that your data is discoverable, accurate, trusted, and can be protected. Instead, we recommend an approach that integrates data protection into your existing processes to protect sensitive data. October 20, 2022 2 minute read The IT security researchers at SOCRadar have identified a treasure trove of data belonging to the technology giant Microsoft that was exposed online - Thanks to a database misconfiguration - The researchers have dubbed the incident "BlueBleed." But there werent any other safeguards in place, such as a warning notification inside the software announcing that a system change would make the data public. A couple of well-known brands, for instance, were fined hundreds of millions of euros in 2021. "Our investigation did not find indicators of compromise of the exposed storage location. New York, The 10 Biggest Data Breaches Of 2022. Got a confidential news tip? In March, the hacker group Lapsus$ struck again, claiming to have breached Microsoft and shared screenshots taken within Azure DevOps, Microsoft's collaboration software. Microsoft is disappointed that this tool has been publicly released, saying that its not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk. Attackers gained access to the SolarWinds system, giving them the ability to use software build features.