We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,678 News Articles

Microsoft India Store a Victim of Poor Data Security, Not Hackers

Customer data from the online Microsoft Store in India was compromised by hackers, but the blame lies with shoddy data security practices.

The online Microsoft Store in India was hacked – allegedly by a group of Chinese hackers. The big story, though, isn’t that the site was hacked, or that customer data was compromised and exposed by the attackers, but that the Microsoft Store was storing the data in clear text and didn’t take basic steps to protect it in the first place.

Enough already! While the hackers who compromised the India Microsoft Store network, and breached the servers are certainly to blame for exposing the customer data, the blame really lies with the Microsoft Store itself for storing sensitive data in plaintext.

A company like Microsoft should be aware that no network security is perfect or impenetrable. It should know better than to rely on perimeter security to protect otherwise defenseless data stored out in the open.

In this case, the online Microsoft Store in India is managed by a third-party service provider rather than Microsoft itself. Microsoft itself is less culpable, but it should require more from the vendors it works with, and its agreement should explicitly spell out a minimum level of acceptable protection for customer data.

There are a wide variety of solutions available to encrypt data to protect it from unauthorized access. In fact, Microsoft makes the very tools that could have prevented customer data from being exposed. Use EFS (Encrypting File System) to encrypt and protect sensitive customer data. Use BitLocker to lock down the whole drive and encrypt all of the data it contains.

It is possible that the Microsoft Store in India was employing these defenses, and that the attackers figured out a way to crack or circumvent them. If that’s the case, then this is a much more serious incident, and Microsoft would have a lot of explaining to do very quickly. What is much more likely, though, is that the data was simply left in the open for attackers to take.

If a surgeon were to use dirty tools, resulting in an infection that ultimately kills the patient, we’d call it criminal negligence. The technology exists to sterilize the tools, and the surgeon is expected to use those technologies to ensure as sterile an environment as possible.

This is 2012. Storing sensitive data in plaintext is the tech equivalent of that same sort of willful neglect. The tools exist to encrypt and protect data. Failing to use those tools and expecting luck to work out in your favor is simply not acceptable.

Microsoft did not yet respond to a request for comment.


IDG UK Sites

Nokia replaces budget Lumia 520 with 530: Release date, price and specs

IDG UK Sites

Everything you need to know about Apple's iPhone Camera in iOS 8

IDG UK Sites

Why you shouldn't trust password managers

IDG UK Sites

How to make an 'Apple iWatch' using an iPod nano and a 3D printer