Microsoft Cybersecurity Errors Led To Breach Of Companies’ Data
April 23, 2024
Findings by the U.S. Cyber Safety Review Board have been critical of Microsoft cybersecurity errors that allowed a Chinese nation-state group called Storm-0558 to breach more than twenty companies in Europe and the U.S.
Hacker News reports that the findings called the breaches preventable, and said they only succeeded because of a “cascade of Microsoft’s avoidable errors.”
It also took the company to task for failing to detect the compromise on its own – a customer notified it of a breach – and for not prioritizing the development of an automated key rotation solution and modification of its legacy infrastructure to address current threats.
Microsoft Outlook, a personal information management system used by many senior executives of corporations, lost as many as 60,000 unclassified emails during the Storm-0558 attack that began in May 2023.
In September 2023, Microsoft said that Storm-0558 got the consumer signing key that facilitated the attack by compromising an engineer’s corporate account. The engineer had access to a crash dump that inadvertently contained the signing key.
However, in a March 2024 update, Microsoft acknowledged that the theory was inaccurate, and it had not been able to locate a “crash dump containing the impacted key material.”
“Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment that was subsequently accessed in a debugging environment via a compromised engineering account.”
The Cyber Safety Board recommends that cloud service providers take steps to safeguard against threats from state-sponsored actors, including adopting a minimum standard for default audit logging in cloud services, adopting incident and vulnerability disclosure practices to maximize transparency, and incorporating emerging digital identity standards.
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.