A misconfiguration applied to five Elasticsearch database servers in December 2019 led to the exposure of 250 million customer support records for software maker Microsoft.
Changes made to the analytics database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, Microsoft engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of the company’s commercial cloud services.
The software maker shared news of the incident on the Microsoft Security Response Center: “Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics. While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
“Security misconfiguration of cloud services has become a recurring theme,” said Lawrence Livermore National Laboratory Senior Cyber Analyst Lee Neely. “While developers have embraced the ease of creating and deploying solutions, the criticality of appropriate access controls seems to be missed.”
The data exposure was discovered by cyber threat researcher Bob Diachenko from an internet crawl of security attack surfaces. Microsoft was notified of the problem on December 29, and had fixed the problem by December 31. The company has confirmed that the vast majority of records were cleared of personally-identifiable information (PII). Customer notifications about the security incident are being sent for database records where PII was not redacted.
As a security-conscious organization, the software provider appears guilty of not heeding its own recommendations. “Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database,” wrote the security response team.
Challenges with Elasticsearch configurations are too-often in the news. “How badly configured are those applications when used by less sophisticated organizations?” asked SANS Institute director of research Alan Paller. The breach disclosure should be a warning to companies of all sizes and security skills that are setting up cloud and open source applications.
The Next Steps: Leading By Example
As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available. “Rapid deployment of solutions needs to include independent verification of the security settings prior to production release,” said Lawrence Livermore’s Neely. “When implementing services, particularly cloud-based, be sure to enable verification and monitoring of the security baseline.”
The data incident demonstrates how complex cyber security has become for enterprise organizations. “If we cannot rely upon Microsoft to properly configure systems, it is unlikely that their customers will be able to do so,” said veteran IT expert William Hugh Murray. All of the certifications and robust technology in the world cannot overcome an unnecessarily cumbersome user experience. “We need fewer choices, safe defaults out of the box, and better direction, documentation, and supervision,” added Murray.