Microsoft data breach: Is your business affected?

In June 2023, there were reports of a potential security breach at Microsoft, where a master key was said to have been leaked. This key could have potentially compromised customer data stored in the cloud. According to Microsoft, it is believed that attackers from China may have successfully used this leaked key to monitor emails, particularly those of European government agencies that primarily use Microsoft 365's Exchange Online service to host and manage email in the cloud.

According to current knowledge, almost all users of Microsoft's cloud services could be affected if they use the ‘Sign in with Microsoft’ feature.

Microsoft has blocked stolen keys in the meantime, but it remains to be seen whether attackers have already been able to install backdoors. At the moment, there is a lot of uncertainty and little information from Microsoft.

Here is a summary of their latest statement on the so-called "Storm-0558" incident:

  • According to Microsoft's account of the incident, attackers used forged authentication tokens to access the emails of approximately 25 organizations, including government agencies and related customer accounts in the public cloud, from May 15, 2023, until the attack was discovered on June 16, 2023.
  • The results of the investigation, recently released by Microsoft, indicate that a signature key was compromised as early as April 2023 due to a crash of the Consumer Signing Systems. The Storm-0558 hackers appear to have obtained this key, which gave them broad access to the Microsoft cloud.

The impact

The situation remains unclear because Microsoft has been reluctant to fully acknowledge the extent of the problem and has played down its severity.

In the latest Microsoft update:

  • A stolen master key from Microsoft provides access to a significant portion of their cloud applications, granting broad access privileges.
  • This breach enables malicious actors to impersonate any user, heightening concerns.
  • Access extends to critical communication channels like email, files, Teams, and Skype, with the full extent uncertain, leaving users vulnerable.
  • The breach primarily targets government-related accounts, raising national security concerns.

In summary, Microsoft's lack of transparency, combined with the severity of the breach and its potential impact on user data and trust, necessitates an urgent, thorough investigation and comprehensive response to mitigate the damage.

Learn more about data breaches and how you can prevent them in your company in our article.

DataGuard best practice: Key takeaways for your business

Upon being alerted to the breach, our Data Protection Officer (DPO) promptly reached out to our IT department to work together in implementing proactive measures aimed at reducing potential risks.

Despite the uncertainty of the situation, our DataGuard IT experts recommend the following actions:

  • Search HTTP log files for specific IP addresses
  • Look at the login activities of the Microsoft account. Hereby, connected devices that cannot be associated with the Microsoft account should be removed.
  • This is also relevant in the context of Data Protection Impact Assessments (DPIA). It is recommended that risks stemming from this alleged breach are addressed in the risk assessment.
  • Customers using MS cloud services should contact Microsoft to confirm whether they may have been affected and to take protective measures. After all, as a data processor, Microsoft is responsible for reporting data breaches. We recommend that you contact Microsoft either by email (see template in EN and DE) if you have a direct point of contact or via their support site.

Our experts further recommend the following security measures to bolster your information security and reduce the likelihood of token theft and other security breaches:

Manage device authentication:

  • Ensure visibility into how and where users authenticate.
  • Allow access to critical applications only from known devices that adhere to security baselines.
  • Utilise compliance tools like Intune and device-based conditional access policies to keep devices updated and secure.
  • Implement session conditional access policies for unmanaged devices to reduce token theft impact.
  • Reduce session lifetimes to force re-authentication, increasing detection chances for threat actors.

Enhance user authentication:

  • Implement phishing-resistant multi-factor authentication (MFA) solutions like FIDO2 security keys, Windows Hello for Business, or certificate-based authentication.
  • Consider these solutions, especially for highly privileged users and high-risk applications.
  • Segregate cloud-only identities for administrative activities to minimise the risk of on-premises compromise.
  • Prioritise the enforcement of location, device compliance, and session controls for applications and users with the greatest risk to the organisation, including privileged users, financial applications, HCM systems, and administrative portals.

Get in touch with our expert consultants today and strengthen your cybersecurity defences to ensure your business doesn't just survive but thrives securely in the digital world.

 

About the author

Boris Otterbach Boris Otterbach
Boris Otterbach

Principal Privacy

Boris Otterbach is a lawyer and certified Data Protection Officer. At DataGuard, he supports clients as a Privacy Consultant, primarily in the areas of human resources, hospitality and gastronomy. In addition, he leads a team of lawyers and industry experts. During his studies, he was able to gain deep insights into Euopean law, international law and into the field of human rights protection. Data protection was a central aspect as well. For Boris, the GDPR stands for common European framework conditions to protect the people behind the data - and Boris aims to translate these framework conditions into pragmatic, everyday solutions. Before joining DataGuard, he was able to gain in-depth experience in the field of data protection at various companies: Among others, he worked for a large financial services provider and an international advertising agency.

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk