The company discovered on Dec. 5 that a change within the database’s network security group had misconfigured security rules. The misconfiguration may have caused some data to be exposed. Microsoft engineers fixed the misconfiguration Dec. 31 to stop unauthorized access.
There is no evidence that any information stored in the database has been misused. Microsoft said its internal database used for support case analytics was solely affected. The company’s commercial cloud services were not involved.
Much of the data stored in the support case analytics database is redacted. Only a limited amount of data was unredacted if it met specific conditions. Microsoft is notifying consumers whose data was not redacted.
Since the incident, Microsoft has begun auditing the established network security rules for internal resources, added additional alerting systems, implemented additional redaction automation and expanded its scope of detecting security rule misconfigurations.
More articles on cybersecurity:
Health systems should update computer systems in wake of Iran tensions, H-ISAC says
3 cybersecurity predictions for 2020
Former NYC hospital employee pleads guilty to hacking coworkers’ emails
At the Becker's 11th Annual IT + Revenue Cycle Conference: The Future of AI & Digital Health, taking place September 14–17 in Chicago, healthcare executives and digital leaders from across the country will come together to explore how AI, interoperability, cybersecurity, and revenue cycle innovation are transforming care delivery, strengthening financial performance, and driving the next era of digital health. Apply for complimentary registration now.
