Clearly, this is the law of series for Microsoft. The American publisher has once again been asked to explain an internal bug in its management of data confidentiality, after revelations about the accidental exposure of 38 terabytes of data from one of its public Github dedicated to artificial intelligence.
Last Monday, the Redmond firm explained how it was trying to learn the best lessons from the incident. She also assured that no customer data had “been exposed” and that no other internal services had “been put at risk”.
30,000 messages
As told by Wiz, a company specializing in cloud security, the accessible data included around 30,000 internal messages exchanged by 359 employees, passwords and the backup of the workstations of two Microsoft researchers.
This valuable data remained accessible for just under three years, with Microsoft closing access to it on June 24, 2023, two days after Wiz’s alert. It is unknown whether third parties may have actually had access to this data.
It all started with the accidental sharing in July 2020 of a URL of a misconfigured online storage account. It made it possible to look well beyond just the artificial intelligence models for image recognition initially shared.
Law of series
This story is at its worst for Microsoft, entangled in two other stories. At the beginning of September, the publisher revealed the operating mode of Storm-0558. This high-profile espionage case, attributed to Chinese hackers, had raised questions about the security of the company’s messaging service. The hackers managed to get their hands on a Microsoft consumer signature key (MSA) wrongly kept in a “crash dump”, a first step which opened other doors for them.
The American press has also just noticed a new involuntary data leak. Opposed to the American competition authority, the Federal Trade Commission (FTC), in the case of the acquisition of Activision Blizzard, Microsoft got its feet in the carpet by sharing with the courts documents which had not been been redacted from confidential data. According to Wired, this is simply the largest information leak in the company’s history.