A configuration error recently exposed corporate data belonging to customers of Microsoft’s cloud-based Business Productivity Online Suite.
BPOS is a set of messaging and collaboration tools that includes Microsoft Exchange Online, Microsoft SharePoint Online, Microsoft Office Communications Online and Office Live Meeting. According to the company, the configuration issue exposed information in customers’ Offline Address Books, a feature in Exchange that permits Outlook users to access copies of e-mail addresses when users are not connected to Exchange.
Microsoft confirmed the breach in a statement and said the problem was fixed within two hours of discovery. The company did not say exactly how long the error existed, but stated that only a limited number of improper downloads took place. According to Clint Patterson, Microsoft’s director of BPOS Communications, the issue only affected Business Productivity Online Suite-Standard customers; no other Microsoft Online Services were impacted.
“Our records indicate that a very small number of downloads actually occurred, and we are working with those few customers to remove the files,” he said in a statement. “This issue applied to Offline Address Book information only, and no other information was affected. Offline Address Book contains an organization’s business contact information for employees. It does not contain Outlook personal contacts, e-mail, documents or other types of information.”
Still, the data breach is a “stark reminder” that companies putting sensitive data in the cloud need to ensure they are implementing sound security and risk management strategies to protect that information from being accessed by unauthorized users, said Kurt Johnson, vice president of strategy and corporate development at Courion.
“The cloud introduces new risks that could potentially impact overall data security,” he said. “This includes issues that may inadvertently, as in this case, provide access to unauthorized users. This is often overlooked by companies and is something that is critical to proper data protection.”
“We take our responsibility to safeguard customer data very seriously, and while no customer action is required, we have notified all our Business Productivity Online Suite-Standard customers about this issue,” Patterson said.