Microsoft database containing Customer Support data was accessible from the Internet
Microsoft has corrected an issue identified by a third-party security researcher where a database containing a subset of information related to customer support interactions was accessible to the internet between the dates of December 5, 2019 and December 31, 2019. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services. Once identified, Microsoft mitigated the issue, and our security team's investigation found no indication of malicious use of the database records.
As part of our commitment to your privacy, you are receiving this message because some of your support case data was identified during our analysis. Additionally, we identified that although our data scrubbing process largely removed any reference to your data or that of your users, in the interest of transparency we are notifying you that this database was temporarily accessible via the internet.
Affected customers are being notified of this event. To obtain the data specific to your organization that were potentially exposed, please visit this Microsoft Privacy page.
You're receiving this email because we recently notified your organization that the price of your Azure DevOps Basic users would change on January 1, 2020. Please disregard that message?it was sent to you in error and the change in pricing does not apply to your organization. Review current DevOps pricing at any time.
Summary of event
During the investigation, we determined that this information was potentially exposed due to a misconfiguration of network security group security rules.
Microsoft engineers determined that a change made to the database's network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the database information. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access.
As part of Microsoft's standard operating procedures, data stored in the database is redacted using automated tools to remove personal information. Our investigation confirmed that the vast majority of records were redacted as intended. In some scenarios, the data may have remained unredacted if it met specific conditions. An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format "XYZ @contoso com" vs "XYZ@contoso.com". We have begun notifications to customers whose data was present in this redacted database.
We are committed to the privacy and security of your data and are taking action to prevent future occurrences of this issue. These actions include:
- Audit the established network security rules for internal resources.
- Expand the scope of the mechanisms that detect security rule misconfigurations.
- Add additional alerting to service teams when security rule misconfigurations are detected.
- Implement additional redaction automation.
Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we've learned, it is good to periodically review your configurations and ensure your own configurations and ensure you are taking advantage of all protections available.
This documentation is included as general guidance and is not intended to be all-inclusive for how to configure your environment.