Microsoft is facing criticism for the way it disclosed a recent security lapse that exposed what a security company said was 2.4 terabytes of data that included signed invoices and contracts, contact information, and emails of 65,000 current or prospective customers spanning five years.
The data, according to a disclosure published Wednesday by security firm SOCRadar, spanned the years 2017 to August 2022. The trove included proof-of-execution and statement of work documents, user information, product orders/offers, project details, personally identifiable information, and documents that may reveal intellectual property. SOCRadar said it found the information in a single data bucket that was the result of a misconfigured Azure Blob Storage.
Microsoft can’t, or Microsoft won’t?
Microsoft posted its own disclosure on Wednesday that said the security company “greatly exaggerated the scope of this issue” because some of the exposed data included “duplicate information, with multiple references to the same emails, projects, and users.” Further using the word “issue” as a euphemism for “leak,” Microsoft also said: “The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability.”