Microsoft Hacks Its Own User, Gets Breached by Syrian Electronic Army

NEWS ANALYSIS: Ironically, Microsoft—which examined an ex-employee's Hotmail and Outlook accounts to find a leak—was breached by hacktivist group Syrian Electronic Army.

Microsoft is at the center of a pair of security incidents this week that serve to illustrate how the software giant uses customer information. In one incident, Microsoft was allegedly breached by the Syrian Electronic Army (SEA), which is an online hacktivist group that is loosely affiliated with the government of Syrian President Bashar al-Assad. The SEA has claimed responsibility for a number of high-profile attacks in recent months, including an attack against Microsoft and its Skype service back in January.

The typical target for the SEA has been mostly Twitter and social account takeovers, but apparently, the SEA has been able to breach Microsoft and get at some data, according to a report published March 20 in the Daily Dot.

Microsoft has neither confirmed nor denied that the Daily Dot report is accurate.

"We've previously stated that Microsoft won't comment on the validity of any stolen emails or documents," a Microsoft spokesperson said in a statement emailed to eWEEK.

What the Daily Dot report exposed is that Microsoft is charging the U.S. Federal Bureau of Investigation (FBI) for access to data. While Microsoft isn't confirming any specific data breach, it does not deny that it works with the FBI and that it is compensated for data.

"Under U.S. law, companies can seek reimbursement for costs associated with complying with valid legal orders for customer data," Microsoft's spokesperson stated. "As we state clearly in our Law Enforcement Requests Report, we attempt to recover some of the costs associated with any such orders."

In a separate and unrelated event this week, a Microsoft investigation led to the arrest of a former employee over Windows 8 leaks.

The issue with that investigation is that Microsoft actually looked through the ex-employee's Hotmail and Outlook email accounts to find information. In a statement sent to eWEEK from Microsoft, the company defended its actions.

"During an investigation of an employee, we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party," Microsoft stated. "In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law-enforcement agencies in multiple countries."

Microsoft noted that it received a court order for the search of a home relating to evidence of the criminal acts involved.

"As part of the investigation, we took the step of a limited review of this third party's Microsoft-operated accounts," Microsoft stated. "While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances."

So, to recap, Microsoft is compensated by the FBI for information disclosures, and Microsoft also goes through user email accounts when necessary to find information.

Should we be concerned?

The reality in both the FBI and the Hotmail/Outlook cases is that Microsoft is working within the law and as directed by the law. The law requires Microsoft to comply with FBI requests, and as such, there really shouldn't be much of a concern there for law-abiding citizens. The larger issue in that case is about Microsoft's own data security and how the SEA was able to obtain the data in the first place.

In the Hotmail/Outlook case, Microsoft had a court order. This is not some kind of wanton, indiscriminate searching of email. Microsoft had probable cause, got a judge to agree with that and got a court order.

While privacy is always a concern and should be actively defended, Microsoft likely has done nothing wrong here. In general, though, it's important to remember that online email services have their own privacy policies in place, too. Microsoft's rival Google has its own questionable views about Gmail privacy.

The simple truth is that if you're using an online service and there is a legal request to access data, then the data will be accessed—legally.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.