The Impact of Redaction on Reducing a New Data Breach
July 25, 2022 | 4 minutes read
In February of 2021, multinational technology corporation Microsoft confirmed that the company had experienced a data breach that accidentally disclosed 250 million customer service records. Notably, many of these records detailed conversations between customer service representatives that were employed by the company and customers that used the litany of products and services that are offered by the said company. Moreover, the records that were exposed during the breach had been accumulated over the course of 14 years, as the earliest exposed records were dated to 2005, while the most recent records were dated to December of 2019. In terms of the discovery of the breach, “Comparitech security researchers led by Bob Diachenko found the breach and notified Microsoft. Microsoft secured its database within 24 hours.”
What forms of data were compromised during the breach?
The vast majority of data that was compromised during the data breach that Microsoft confirmed had occurred in February of 2021 were support and customer service logs. As virtually all large-scale companies will retain these support and customer service logs in order to document the numerous conversations a particular customer service agent has during their respective work days, Microsoft is no different. However, in contrast with many other major corporations that sustain similar data breaches, much of the personally identifiable information that may have been communicated during these customer support conversations were spared from the wrath of the breach, as much of this information had been redacted.
As a result, the adverse consequences of experiencing a data breach of such an enormous magnitude were greatly alleviated, as customer support conversations will often contain personal details such as full names, physical addresses, payment information, and driver’s license information, among a host of others. Nevertheless, the cybercriminals that stole Microsoft’s customer service data were able to make away with certain forms of personal data, including the email addresses of Microsoft customers, internal notes that had been designated as confidential by Microsoft, and IP addresses, as well as specific case numbers and resolutions.
Microsoft’s response to the data breach
In response to this data breach incident, a representative of Microsoft was quoted in a blog post as saying “We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers.” To this point, this representative also outlined the steps that Microsoft was taking to assist customers that were affected by the breach, as well as the preventative measures the company was taking to curtail future data breaches.
First and foremost, the company sent notifications to all Microsoft employees and customers that were estimated to have been affected by the data breach that had occurred. What’s more, due to the customer support agent information that had been disclosed during the breach, Microsoft also warned all customers, irrespective of if they had been impacted during the breach or not, to be on the lookout for fraudulent customer service emails on behalf of the company. On top of this, Microsoft also provided their customers with general information concerning data breach incidents, such as the benefits of regularly changing online passwords, as well as pointing out that most large-scale corporations like the company would not be proactively reaching out to their various customers about individual technical issues, due to the sheer size and scope of Microsoft’s numerous business operations.
Data breaches and redaction
While data breaches have become a near-daily occurrence as a result of the massive amount of personal data that consumers share with businesses around the world, the manner in which Microsoft handled its customer support data breach was different from many other similar companies. As employees at Microsoft had taken the time to redact certain forms of personally identifiable information from the profiles of customers before the breach occurred, they were able to mitigate the effects of the said breach in a much more effective and efficient way. For comparison, a breach that led to the disclosure of millions of individual records containing personal data could have easily led to a class action lawsuit, as well as reputational harm that cannot be quantified by a dollar amount.
For companies such as Microsoft that provide such a wide range of products and services to their millions of users and customers, dealing with data breaches is an all but inevitable reality. This being said, the fashion in which the company handled the data breach, from both a preventative and real-time perspective, highlights the simple steps that businesses can take to reduce the level of damages that their customers stand to face in the event of a breach. With all this being said, small businesses and international organizations alike will have to consider the way in which they handle data breach incidents, as a simple oversight can lead to millions of people having their information compromised in seconds.