Microsoft Corp. today disclosed a data breach that exposed 250 million customer records via a misconfigured Elasticsearch database.

As is somewhat typical with these exposures, the database was exposed because the settings on the Elasticsearch database were set to “public.” The data was first exposed Dec. 5 and Microsoft secured the data Dec. 31.

As is also typical in these cases, the Microsoft data exposure was discovered by Bob Diachenko, a security researcher with Security Discovery. Diachenko, for those who don’t follow cybersecurity, has become the king of finding data breaches and is regularly credited for discovering high-profile data breaches. In the last three months, Diachenko discovered data breaches at Adobe Creative Cloud and Honda Motor Co. along with two other data breaches, one linked to Facebook Inc. and the other from a mystery source that included 1.2 billion records.

The data exposed by Microsoft included customer service records going back 14 years and included email addresses, IP addresses and support case details. Microsoft did note that most records did not include personal information.

In response to the misconfiguration, Microsoft added that it’s auditing its network security rules as well as expanding the scope of the mechanisms that detect security rule misconfigurations.

“Misconfigurations are unfortunately a common error across the industry,” Microsoft’s Security Response Center noted. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

Robert Prigge, chief executive officer of identity verification firm Jumio Corp., told SiliconANGLE that the exposure has equipped cybercriminals with even more personal information to weaponize in future attacks.

Chris DeRamus, chief technology officer and co-founder of cybersecurity company DivvyCloud Corp., noted that misconfiguring a cloud server has become all too common, including recent data leaks at companies such as Rubrik, Voipo, Gearbest, Meditab and Dow Jones.

What’s remarkable about the incident, he added, is that in early November, Microsoft announced that it will honor the California Consumer Privacy Act throughout the U.S., and it was also the first company to extend the EU’s General Data Protection Regulation to customers around the world.

“This shows that even a forward-thinking company like Microsoft, who is unrelentingly dedicated to protecting their customers, can suffer a data breach due to misconfigurations,” he said. “If they can be affected, anyone can.”

Greg Wendt, executive director of ERP data security company Appsian Inc., said the exposure shows how challenging it is even for big companies understand exactly where data is stored and who can access it.” Even after discovering the exposure, Microsoft can’t fully determine if the data was accessed by malicious actors,” he said.

Photo: Ben Franske/Wikimedia Commons