Microsoft’s AI team’s Azure mistake led to a 38TB dump of private company data. Should CIOs worry about cloud security implications?

Shane Snider , Senior Writer, InformationWeek

September 19, 2023

3 Min Read
Microsoft corporation brand logo on high rise glass building exterior through exotic green palm leaves summertime photo.
TRAVELARIUM via Alamy Stock Photo

After cloud security company Wiz on Monday dropped a bombshell report detailing a 38TB Microsoft internal leak, business leaders might be wondering how the blunder could impact their own cloud operations.

According to Wiz, the affected data included full backups of two employees’ computers that held passwords to Microsoft services, secret keys, and more than 30,000 internal Microsoft Teams messages from 359 Microsoft employees. Wiz says that Microsoft’s AI team’s upload of training data containing open-source code and AI models allowed GitHub users to access the models on Microsoft’s Azure cloud service. The files were accessed by an Azure feature called SAS tokens, which allow you to see data from Azure Storage accounts.

“In addition to the overly permissive access scope, the token was also misconfigured to allow ‘full control’ permissions instead of read-only. Meaning, not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well,” according to the Wiz blog post on the leak.

Microsoft cleared up the issue after Wiz contacted the company in June to warn about the exposure. Still, the data has been exposed with the active link since 2020.

A Learning Opportunity

Former Microsoft CIO and author Jim Dubois tells InformationWeek that organizations should take comfort in the fact that the leak was internal and outside data was not compromised. “This is a somewhat immaterial leak compared to others reported this year by other companies,” Dubois says. “No customer data … no services impacted. Microsoft’s own data leaked for a very small number of employees.”

Related:Tesla Insider Data Breach Exposed Over 75,000

He added, “As a CIO/CISO, I could be reassured from this that the Microsoft services are still secure but need to be configured correctly. I would take that I need to be extra careful about what I allow our employees to do, as even Microsoft has a hard time getting their employees to use cloud services right.”

Wiz says organizations can take steps to avoid similar leaks by shoring up security around SAS tokens, which the company said should be “as limited as possible.”

“The simple step of sharing an AI dataset led to a major data leak, containing over 38TB of private data,” the company said in its blog post.

Dubois said organizations can look at the leak as a teachable moment. “I would ask Microsoft and their implementation partners for help and best practices for me to security configure at my company.”

However, he noted, “I don’t think there is anything in this leak that changes my belief that hyperscale services are more secure than what most companies can do themselves because their ability to learn and scale against the whole range of attacks is greater than what any individual company can do.”

Related:What Cybersecurity Gets Wrong

Microsoft has had a tough year for security, with several high profile attacks and a Department of Homeland Security probe into a July email breach that exposed high level-government accounts, including those of US Commerce Secretary Gina Raimondo and senior State Department Diplomats.

About the Author(s)

Shane Snider

Senior Writer, InformationWeek, InformationWeek

Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights