Microsoft BPOS Error Exposes Cloud Customers’ Data

A configuration error recently exposed corporate data belonging to customers of Microsoft’s cloud-based Business Productivity Online Suite (BPOS) for messaging and collaboration.

According to the company, the configuration issue exposed information in customers’ Offline Address Books, a feature in Exchange that permits Outlook users to access copies of email addresses when users are not connected to Exchange.

Wide Area Affected

Microsoft confirmed the breach in a statement and said the problem, which occurred in its data centres in Europe, North America and Asia, was fixed within two hours of its discovery. The company did not say exactly how long the error existed, but claimed that only a limited number of improper downloads took place.

According to Clint Patterson, Microsoft’s director of BPOS Communications, the issue only affected Business Productivity Online Suite – Standard customers; no other Microsoft Online Services were impacted.

“Our records indicate that a very small number of downloads actually occurred, and we are working with those few customers to remove the files,” he said in a statement. “This issue applied to Offline Address Book information only, and no other information was affected. Offline Address Book contains an organisation’s business contact information for employees. It does not contain Outlook personal contacts, email, documents or other types of information.”

The BPOS toolkit includes Microsoft Exchange Online, SharePoint Online, Office Communications Online and Office Live Meeting.

Tight Cloud Security

The data breach is a “stark reminder” that companies putting sensitive data in the cloud need to ensure they are implementing sound security and risk management strategies to protect that information from being accessed by unauthorised users, said Kurt Johnson, vice president of strategy and corporate development at Courion.

“The cloud introduces new risks that could potentially impact overall data security,” he said. “This includes issues that may inadvertently, as in this case, provide access to unauthorised users. This is often overlooked by companies and is something that is critical to proper data protection.”

Patterson said, “We take our responsibility to safeguard customer data very seriously and, while no customer action is required, we have notified all our Business Productivity Online Suite – Standard customers about this issue.”

Last August, Microsoft had problems with three outages that hit the BPOS – Standard operation over a two-week period during an upgrade.

In October, Microsoft announced the next version of BPOS would be called Office 365. It will compete with Google Apps and other cloud-based suites.