Microsoft’s 38TB Leak: How IT Leaders Should Respond

After cloud security company Wiz on Monday dropped a bombshell report detailing a 38TB Microsoft internal leak, business leaders might be wondering how the blunder could impact their own cloud operations.

According to Wiz, the affected data included full backups of two employees’ computers that held passwords to Microsoft services, secret keys, and more than 30,000 internal Microsoft Teams messages from 359 Microsoft employees. Wiz says that Microsoft’s AI team’s upload of training data containing open-source code and AI models allowed GitHub users to access the models on Microsoft’s Azure cloud service. The files were accessed by an Azure feature called SAS tokens, which allow you to see data from Azure Storage accounts.

“In addition to the overly permissive access scope, the token was also misconfigured to allow ‘full control’ permissions instead of read-only. Meaning, not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well,” according to the Wiz blog post on the leak.

Microsoft cleared up the issue after Wiz contacted the company in June to warn about the exposure. Still, the data has been exposed with the active link since 2020.

A Learning Opportunity

Former Microsoft CIO and author Jim Dubois tells InformationWeek that organizations should take comfort in the fact that the leak was internal and outside data was not compromised. “This is a somewhat immaterial leak compared to others reported this year by other companies,” Dubois says. “No customer data … no services impacted. Microsoft’s own data leaked for a very small number of employees.”

Related:Tesla Insider Data Breach Exposed Over 75,000

He added, “As a CIO/CISO, I could be reassured from this that the Microsoft services are still secure but need to be configured correctly. I would take that I need to be extra careful about what I allow our employees to do, as even Microsoft has a hard time getting their employees to use cloud services right.”

Wiz says organizations can take steps to avoid similar leaks by shoring up security around SAS tokens, which the company said should be “as limited as possible.”

“The simple step of sharing an AI dataset led to a major data leak, containing over 38TB of private data,” the company said in its blog post.

Dubois said organizations can look at the leak as a teachable moment. “I would ask Microsoft and their implementation partners for help and best practices for me to security configure at my company.”

However, he noted, “I don’t think there is anything in this leak that changes my belief that hyperscale services are more secure than what most companies can do themselves because their ability to learn and scale against the whole range of attacks is greater than what any individual company can do.”

Related:What Cybersecurity Gets Wrong

Microsoft has had a tough year for security, with several high profile attacks and a Department of Homeland Security probe into a July email breach that exposed high level-government accounts, including those of US Commerce Secretary Gina Raimondo and senior State Department Diplomats.