skip to Main Content

Thinking inside the box

0845 602 7006 | 0117 322 6163

Even Microsoft admits to data breach

It’s tempting to believe that important data breaches only happen in the US and the figures tend to bear that out – the US accounts for the overwhelming majority of the really big data breaches that have been made public, some of them absolutely vast. But US laws and regulations force organisations to admit to data breaches involving the customer, something which is not true in all countries.

In the UK, the Data Protection Act used to be the piece of legislation that businesses worried most about together with the possibility of fines by the information commissioner (ICO). Now, with the General Data Protection Regulation in full force across the EU and the UK, companies and organisations found not to have adequately disclosed breaches or protected their users face enormous fines.

With credentials being bought and sold on the dark web for significant amounts of money, substantial breaches, sometimes including card data – seem to be more and more commonplace.

A few months ago Microsoft itself owned up to a compromise of some Office 365 accounts. Although the number of users affected has not been disclosed, Microsoft confirmed that around six percent of those involved would have had their emails hacked.

According to an email from Microsoft, sent to the affected users, the hack was a result of the firms support agents’ credentials being compromised which therefore provided unauthorised access to some users’ account information.

“The recent confirmation of compromised Office 365 accounts at Microsoft itself underscores the growing risk of cloud account compromise as attackers continue to utilise more creative phishing lures, employ targeted, intelligent password spraying and find new ways to circumvent multi-factor authentication,” Ryan Kalember, EVP of cybersecurity strategy at Proofpoint said.

The majority of the users affected had their email address, folder names, subject lines of emails and recipient email addresses from emails between January and March hacked, but the compromise did not include the content of the emails or attachments, Microsoft says. The breached emails were from Outlook, MSN and Hotmail accounts.

According to a six-month study from Proofpoint, 72 percent of major cloud service tenants have been targeted at least once with 40 percent noting at least one compromised account in their environment.

“Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence,” Microsoft security wrote in an email.

For complimentary advice on how to ensure your organisation is correctly following data legislation with your paper records, contact us now.


Back To Top