The messages were being sent through compromised accounts, including users that signed up for Microsofts two-factor authentication. This field is for validation purposes and should be left unchanged. Some of the data were crawled by our engine, but as we promised to Microsoft, no data has been shared so far, and all this crawled data was deleted from our systems, SOCRadar VP of Research and CISO Ensar eker told BleepingComputer. Microsoft confirmed on Wednesday that a misconfigured endpoint exposed data, which the company said was related to business transaction data corresponding to interactions between Microsoft and prospective customers. Microsoft had quickly acted to correct its mistake to secure its customers' data. The hacker gained access to the personal data through an employee's email that contained sensitive information including patient names, medical information, and test results. The company believes such tools should include a verification system to ensure that a user can only look for data pertaining to them, and not to other users. "On this query page, companies can see whether their data is published anonymously in any open buckets. VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system. MWC 2023 moves beyond consumer and deep into enterprise tech, Carrier equipment maker Ericsson lets go 8,500 employees, Apple reportedly planning second-generation mixed reality headset for 2025, Report: Justice Department plans lawsuit to block Adobe's $20B Figma acquisition, Galaxy Digital finalizes $44M acquisition of crypto self-custody platform GK8, Meta releases LLaMA to democratize access to large language AI models, INFRA - BY MARIA DEUTSCHER . 85. There was a problem. Additionally, they breached certain developer systems, including those operated by Zombie Studios, a company behind the Apache helicopter simulator used by the U.S. military. "We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.". 3Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected, Cezary Podkul, ProPublica. Common types of sensitive data include credit card numbers, personally identifiable information (PII) like a home address and date of birth, Social Security Numbers (SSNs), corporate intellectual property (IP) like product schematics, protected health information (PHI), and medical record information that could be used to identify an individual. The extent of the breach wasnt fully disclosed to the public, though former Microsoft employees did state that the database contained descriptions of existing vulnerabilities in Microsoft software, including Windows operating systems. Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox. The breach . Welcome to Cyber Security Today. And you dont want to delete data too quickly and put your organization at risk of regulatory violations. The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shors algorithm to crack PKI encryption. The group posted a screenshot on Telegram to. October 2022: 548,000+ Users Exposed in BlueBleed Data Leak The conventional tools we rely on to defend corporate networks are creating gaps in network visibility and in our capabilities to secure them. However, it would have been nice to see more transparency from Microsoft about the severity of the breach and how many people may have been impacted, especially in light of the data that SOCRadar was able to collect. Learn how Rabobank, Fannie Mae, and Ernst & Young maximized their existing Microsoft 365 subscriptions to gain integrated data loss prevention and information protection. Microsoft is another large enterprise that suffered two major breaches in 2022. Update October 20,08:15 EDT: Added SOCRadar statement and info on a notificationpushed by Microsoft through the M365 admin center on October 4th. Microsoft has confirmed sensitive information from. by January 25, 2022. Per SOCRadar's analysis, these files contain customer emails, SOW documents, product offers,POC (Proof of Concept) works, partner ecosystem details, invoices, project details, customer product price list,POE documents, product orders, signed customer documents, internal comments for customers, sales strategies, and customer asset documents. The snapshot was of Azure DevOps, which is a collaboration software launched by Microsoft - it shared that Cortana, Bing, and other projects were compromised in the breach. Data Breaches. Kron noted that although cloud services can be very convenient, and if secured properly, also very secure, when a misconfiguration occurs, the information can be exposed to many more potential people than on traditional internal on-premise systems. You happily take our funds for your services you provide ( I would call them products, but products generally dont breakdown and require updates to keep them working), but hey I am no tech guru. In March 2013, nearly 3,000 Xbox Live users had their credentials exposed after participating in a poll and entering a prize draw. BlueBleed discovered 2.4TB of data, including 335,000 emails, 133,000 projects, and 584,000 exposed users, according to a report on Bleeping Computer. After digging deeper, the specialist noticed more unexpected activities, including requests relating to specific emails and for confidential files. Overall, hundreds of users were impacted. Since dozens of organizations including American Airlines, Ford Motor Co., and the New York Metropolitan Transportation Authority were involved, the nature of the exposed data varied. Attackers typically install a backdoor that allows the attacker . Microsoft, one of the world's largest technology companies, suffered a serious security breach in March 2022. For the 2022 report, Allianz gathered insights from 2,650 risk management experts from 89 countries and territories. Breaches of sensitive data are extremely costly for organizations when you tally data loss, stock price impact, and mandated fines from violations of General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or other regulations. The exposed information allegedly included over 335,000 emails, 133,000 projects, and 548,000 users. Since then, he has covered a range of consumer and enterprise devices, raning from smartphones to tablets, laptops to desktops and everything in between for publications like Pocketnow, Digital Trends, Wareable, Paste Magazine, and TechRadar in the past before joining the awesome team at Windows Central. SolarWinds is a major software company based in Tulsa, Okla., which provides system management tools for network and infrastructure monitoring, and other technical services to hundreds of thousands of organizations around the world. The details which included names, gamer tags, birthdays, and emails were accidentally published online and not accessed via a hack. In relatively short order, it was determined that four zero-day vulnerabilities were allowing unauthorized parties to access data, deploy malware, hijack servers, and access backdoors to reach other systems. The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts. In 2021, the number of data breaches climbed 68 percent to 1,862 (the highest in 17 years) with an average cost of USD4.24 million each.1 About 45 million people were impacted by healthcare data breaches alonetriple the number impacted just three years earlier.2. After classifying data as confidential or highly confidential, you must protect it against exposure to nefarious actors. Microsoft released guidance on how to fully merge the Microsoft and Skype account data, giving users a solution. The Microsoft Security Response Center blog reports that researchers reported a misconfigured Microsoft endpoint on September 24. SOCRadar described it as "one of the most significant B2B leaks". Some solution providers divorce productivity and compliance and try to merely bolt-on data protection. Digital Trends Media Group may earn a commission when you buy through links on our sites. Several members of the group were later indicted, and one member, David Pokora, became the first foreign hacker to ever receive a sentence on U.S. soil. 4Allianz Risk Barometer 2022:Cyber perils outrank Covid-19 and broken supply chains as top global business risk, Allianz Risk Barometer. (Torsten George), The conventional tools we rely on to defend corporate networks are creating gaps in network visibility and in our capabilities to secure them. News Corp. News Corp., the publisher of the Wall Street Journal and a range of global media outlets, said in a securities filing that it was hit by a cyberattack in January 2022 and that some data . However, it isnt clear whether the information was ultimately used for such purposes. They also said they had secured the endpoint and notified the accounts that had been compromised, and elaborated that they found no evidence customer accounts had actually been compromised only exposed. After SCORadar flagged a Microsoft data breach at the end of October, the company confirmed that a server misconfiguration had caused 65,000+ companies' data to be leaked. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users, Microsoft pointed out. Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. Security Trends for 2022. Microsoft servers have been subject to a breach that might have affected over 65,000 entities across 111 countries, according to the security research firm, SOCRadar. A representative for LinkedIn reported to Business Insider that this data was scraped from publicly available data on the platform. Microsoft disputed SOCRadar's claims and fired back at the researchers stating that their estimations are over-exaggerated. March 3, 2022: Laboratory Bako Diagnostics (BakoDX) confirmed that the company experienced a data breach resulting in the personal and healthcare information of certain consumers being compromised. As the specialist looked for more details regarding what was happening, more hacking activity was uncovered. He graduated from the University of Virginia with a degree in English and History. Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. Microsoft Breach 2022! The data discovery process can surprise organizationssometimes in unpleasant ways. Successfully managing the lifecycle of data requires that you keep data for the right amount of time. Why does Tor exist? In a speech given at Carnegie Mellon University, Cybersecurity and Infrastructure Security Agency Director Jen Easterly pointed to Apple as a company that took security and accountability seriously, and suggested other companies should take note. A post in M365 Admin Center, ignoring regulators and telling acct managers to blow off customers ain't going to cut it. The exposed data includes, for example, emails from US .gov, talking about O365 projects, money etc - I found this not via SOCRadar, it's cached. In January 2010, news broke of an Internet Explorer zero-day flaw that hackers exploited to breach several major U.S. companies, including Adobe and Google. In a second, subsequent attack, the hacker combined this data with information found in a separate data breach, then exploited a weakness in a remote-access app used by LastPass employees. Hacker group LAPSUS$ - branded DEV-0537 in Microsoft's blog post . According to one source, the hacker gained access to the Slack account of an HR employee, as well as data such as email addresses, phone numbers, and salaries of Activision employees. According to the newest breach statistics from the Identity Theft Research Center, the number of victims . Microsoft uses the following classifications: Identifying data at scale is a major challenge, as is enforcing a process so employees manually mark documents as sensitive. Flame wasnt just capable of infecting machines; it could also spread itself through a network using a rogue Microsoft certificate. New York, We redirect all our customers to MSRC (Microsoft 365 Admin Center Alert) if they want to see the original data. Sensitive data is confidential information collected by organizations from customers, prospects, partners, and employees. In 2021, the effects of ransomware and data breaches were felt by all of us. Due to persistent pressure from Microsoft, we even have to take down our query page today. Learn more about how to protect sensitive data. In Microsoft's server alone, SOCRadar claims to have found2.4 TB of data containing sensitive information, withmore than 335,000 emails, 133,000 projects, and 548,000 exposed users discovered while analyzing the leaked files until now. Forget foldables, MrMobile goes hands-on with Lenovo's rollable laptop concept. ", Furthermore, Redmond said that SOCRadar's decision to collect the data and make it searchable using a dedicated search portal "is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk. The company revealed that information that may have been exposed as a result of the breach include names, email addresses, email content, company name, phone numbers, and other attached files, but Microsoft stopped short of revealing how many entities were impacted. SOCRadar executives stated that the company does not keep any of the data it comes across and has since deleted any data that its tool may have accessed. By SOCRadars account, this data pertained to over 65,000 companies and 548,000 users, and included customer emails, project information, and signed documents. "Our team was already investigating the. Data discovery, data classification, and data protection strategies can help you find and better protect your companys sensitive data. Microsoft has published the article Investigation Regarding Misconfigured Microsoft Storage Location regarding this incident. Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsofts verified publisher status. Along with distributing malware, the attackers could impersonate users and access files. Microsofts investigation found no indication that accounts or systems were compromised but potentially affected customers were notified. Of the files that were collected, SOCRadar's analysis revealed that these included proof of concept works, internal comments and sales strategies, customer asset documents, product orders, offers, and more. 6Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt, Ryan Browne, CNBC. Now, we know exactly how those attacks went down -- and the facts are pretty breathtaking. You can read more in our article on the Lapsus$ groups cyberattacks. ..Emnjoy. Visit our corporate site (opens in new tab). Microsoft Digital Defense Report 2022 Illuminating the threat landscape and empowering a digital defense. The company's support team also reportedly told customers who reached out that it would not notify data regulators because "no other notifications are required under GDPR" besides those sent to impacted customers. Microsoft said that it does not believe that any data was improperly accessed prior to correcting the security flaw. ", According to aMicrosoft 365 Admin Centeralertregarding this data breach published on October 4, 2022, Microsoft is "unable to provide the specific affected data from this issue.". A security lapse left an Azure endpoint available for unauthenticated access in the incident, termed "BlueBleed." The company revealed that it was informed of the isolated incident by researchers at SOCRadar, though both companies remain in disagreement over how many users were impacted and best practices that cybersecurity researchers should take when they encounter a breach or leak in the future. The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. To abide by the data minimization principle, once the data is no longer serving its purpose, it must be deleted. When an unharmed machine attempted to apply a Microsoft update, the request was intercepted before reaching the Microsoft update server. Microsoft is investigating claims that an extortion-focused hacking group that previously compromised massive companies such as Ubisoft and Nvidia has gained access to internal . "We are highly disappointed about MSRCs comments and accusations after all the cooperation and support provided by us that absolutely prevented the global cyber disaster.".
