Microsoft has one of the best security teams and capabilities of any organization in the technology industry, yet it accidentally exposed 250 million customer records in December 2019. The data was accessible to anyone with a browser, who knew the server location, for about a month in total before an external researcher detected the problem.
The database held records of customer support engagements dating back to 2005. Once alerted, Microsoft quickly closed the hole, investigated the breach, communicated to customers, and graciously thanked the security researchers.
Yes, it is terrible that sensitive data for over two-hundred million people were exposed, but how an organization responds to an exposure reveals its true nature and commitment to security, privacy, and safety.
As a former cyber incident commander for a major technology corporation, I can see a number of important lessons to be learned through this snapshot engagement:
1. No matter how much you spend, what technology you use, or how skilled your operators, accidents and breaches will still happen. Nevertheless, the likely rate and impact is relative to those aspects, so it is far better to maintain a strong security posture.
2. The ability to be rapidly notified by third parties and spin-up a crisis team showcases your pragmatic insight to sustainable security.
3. A commitment to openly recognize the issue and address it quickly proves the trustworthiness of the organization.
4. Properly investigating to understand the potential impact and quickly communicating to affected parties determines the level of commitment to professional ethics.
5. Giving credit to those who found the problem in your systems, that affected your customers, is simply a class act ..