Microsoft has notified all the customers affected by a configuration error that impacted the company's cloud-based Business Productivity Online Suite and exposed corporate data.
A configuration error recently exposed corporate data belonging to
customers of Microsoft's cloud-based Business Productivity Online Suite.
BPOS is a set of messaging and collaboration tools that
includes Microsoft Exchange Online, Microsoft
SharePoint Online, Microsoft Office Communications Online and
Office Live Meeting. According to the company, the configuration issue
exposed information in customers' Offline Address Books, a feature in
Exchange that permits Outlook users to access copies of e-mail
addresses when users are not connected to Exchange.
Microsoft confirmed the breach in a statement and said the problem
was fixed within two hours of discovery. The company did not say
exactly how long the error existed, but stated that only a limited
number of improper downloads took place. According to Clint Patterson,
Microsoft's director of BPOS Communications, the issue only
affected Business Productivity Online Suite-Standard customers; no
other Microsoft Online Services were impacted.
"Our records indicate that a very small number of downloads actually
occurred, and we are working with those few customers to remove the
files," he said in a statement. "This issue applied to Offline Address
Book information only, and no other information was affected. Offline
Address Book contains an organization's business contact information
for employees. It does not contain Outlook personal contacts,
e-mail, documents or other types of information."
Still, the data breach is a "stark reminder" that companies putting sensitive data in the cloud need to ensure they are implementing sound security
risk management strategies to protect that information from being
accessed by unauthorized users, said Kurt Johnson, vice president of
strategy and corporate development at Courion.
"The cloud introduces new risks that could potentially impact
overall data security," he said. "This includes issues that may
inadvertently, as in this case, provide access to unauthorized users.
This is often overlooked by companies and is something that is critical
to proper data protection."
"We take our responsibility to safeguard customer data very
seriously, and while no customer action is required, we have notified
all our Business Productivity Online Suite-Standard customers about
this issue," Patterson said.