The online Microsoft Store in India was hacked – allegedly by a group of Chinese hackers. The big story, though, isn’t that the site was hacked, or that customer data was compromised and exposed by the attackers, but that the Microsoft Store was storing the data in clear text and didn’t take basic steps to protect it in the first place.
Enough already! While the hackers who compromised the India Microsoft Store network, and breached the servers are certainly to blame for exposing the customer data, the blame really lies with the Microsoft Store itself for storing sensitive data in plaintext.
A company like Microsoft should be aware that no network security is perfect or impenetrable. It should know better than to rely on perimeter security to protect otherwise defenseless data stored out in the open.
In this case, the online Microsoft Store in India is managed by a third-party service provider rather than Microsoft itself. Microsoft itself is less culpable, but it should require more from the vendors it works with, and its agreement should explicitly spell out a minimum level of acceptable protection for customer data.
There are a wide variety of solutions available to encrypt data to protect it from unauthorized access. In fact, Microsoft makes the very tools that could have prevented customer data from being exposed. Use EFS (Encrypting File System) to encrypt and protect sensitive customer data. Use BitLocker to lock down the whole drive and encrypt all of the data it contains.
It is possible that the Microsoft Store in India was employing these defenses, and that the attackers figured out a way to crack or circumvent them. If that’s the case, then this is a much more serious incident, and Microsoft would have a lot of explaining to do very quickly. What is much more likely, though, is that the data was simply left in the open for attackers to take.
If a surgeon were to use dirty tools, resulting in an infection that ultimately kills the patient, we’d call it criminal negligence. The technology exists to sterilize the tools, and the surgeon is expected to use those technologies to ensure as sterile an environment as possible.
This is 2012. Storing sensitive data in plaintext is the tech equivalent of that same sort of willful neglect. The tools exist to encrypt and protect data. Failing to use those tools and expecting luck to work out in your favor is simply not acceptable.
Microsoft did not yet respond to a request for comment.