Microsoft India Store a Victim of Poor Data Security, Not Hackers

The online Microsoft Store in India was hacked a allegedly by a group of Chinese hackers. The big story, though, isn't that the site was hacked, or that customer data was compromised and exposed by the attackers, but that the Microsoft Store was storing the data in clear text and didn't take basic steps to protect it in the first place.

By Tony Bradley
Tue, February 14, 2012

PC World — The online Microsoft Store in India was hacked a allegedly by a group of Chinese hackers. The big story, though, isn't that the site was hacked, or that customer data was compromised and exposed by the attackers, but that the Microsoft Store was storing the data in clear text and didn't take basic steps to protect it in the first place.

Enough already! While the hackers who compromised the India Microsoft Store network, and breached the servers are certainly to blame for exposing the customer data, the blame really lies with the Microsoft Store itself for storing sensitive data in plaintext.

A company like Microsoft should be aware that no network security is perfect or impenetrable. It should know better than to rely on perimeter security to protect otherwise defenseless data stored out in the open.

In this case, the online Microsoft Store in India is managed by a third-party service provider rather than Microsoft itself. Microsoft itself is less culpable, but it should require more from the vendors it works with, and its agreement should explicitly spell out a minimum level of acceptable protection for customer data.

There are a wide variety of solutions available to encrypt data to protect it from unauthorized access. In fact, Microsoft makes the very tools that could have prevented customer data from being exposed. Use EFS (Encrypting File System) to encrypt and protect sensitive customer data. Use BitLocker to lock down the whole drive and encrypt all of the data it contains.

It is possible that the Microsoft Store in India was employing these defenses, and that the attackers figured out a way to crack or circumvent them. If that's the case, then this is a much more serious incident, and Microsoft would have a lot of explaining to do very quickly. What is much more likely, though, is that the data was simply left in the open for attackers to take.

If a surgeon were to use dirty tools, resulting in an infection that ultimately kills the patient, we'd call it criminal negligence. The technology exists to sterilize the tools, and the surgeon is expected to use those technologies to ensure as sterile an environment as possible.

This is 2012. Storing sensitive data in plaintext is the tech equivalent of that same sort of willful neglect. The tools exist to encrypt and protect data. Failing to use those tools and expecting luck to work out in your favor is simply not acceptable.

Microsoft did not yet respond to a request for comment.

Originally published on www.pcworld.com. Click here to read the original story.

What is Tech Briefcase?

TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more

Bookmark content

Speed up your research efforts with content across the web.

Search and Store

Find the white papers you need. Create folders for any topic.

View Anywhere

Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.

Don't have an account yet?

You are here: Technology Topics » Security » News

Most Recent Data protection Stories

White Papers »

2011 IOUG Data Security Survey: Databases More at Risk Than Ever

Download this complimentary copy of the 2011 IOUG Data Security Survey Report and see how your organization measures up.

Top Ten Security Topics

The topics span attack categories, trends and priorities, with a short synopsis of the topics, various use cases, key concepts, and providing references to our Security Connected Reference Architecture.

The New Reality of Stealth Crimeware (McAfee Labs)

With cybercrime on the rise, McAfee and Intel researchers believe that we need to re-envision how to detect and block stealthy malware.

2012 Threat Predictions Report (McAfee Labs)

As they have done for the past several years, McAfee Labs is ready to dust off their crystal ball and offer their fearless predictions of the threats of the upcoming year and beyond. We urge you to consider these ideas to prepare for the ever-evolving threats of the future.

McAfee Security Connected - Mitigates Risk, Maximizes Business Efficiency

McAfee Security Connected framework integrates potentially disparate security technologies. Learn how it enables technologies to work together through collective intelligence, while enhancing each solution's individual security capabilities, efficiencies, and effectiveness. This integrated framework delivers real-time visibility into the security and risk management profile of your business.

Competitive Analysis of the Global Software License Management Market

Learn how to maximize control and minimize loss with SafeNet, the company that Frost & Sullivan named the "clear market leader" in software license management.

Webcasts »

Data Privacy and Protection in Production Environments: New Research from Ponemon Institute

Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT

In a recent study conducted by Ponemon Institute, fifty-five percent of respondents indicated they were not confident that their organization would be able to detect the loss or theft of sensitive personal information in their company's databases and applications.

Join featured guest Dr. Larry Ponemon from the Ponemon Institute, to discuss these new findings and how to best address the growing number of data breaches and privacy challenges that are facing your organization. This webinar will focus on:

- Understanding the current state of privacy and data protection in the production environment
- Identifying areas of greatest vulnerability
- Keeping data secure without sacrificing productivity
- Enterprise and configurable solutions for multiple applications

The Rise of Data-Driven Security

Date: Wednesday, May 23, 2012
Time: 11:00 a.m. PDT / 2:00 p.m. EDT

IT security faces challenges as never before. At one end of the spectrum, industrialized exploits hammer organizations with a volume and frequency of attacks that only a few short years ago would have been unimaginable.

Spear Phishing and the Modern Cyber Attack

Learn how IT teams can protect against spear phishing tactics. Harry Sverdlove, chief technology officer of Bit9 offers a frank discussion about spear phishing - the most common technique used in today's advanced attacks. Learn how spear phishing works and three recommendations for IT to protect against modern threats.

Optimizing the world of IT for end-users: Balancing freedom and choice with security and compliance to meet business

Download this eSeminar to hear from experts Ziff Davis Enterprise, VMware and HP and learn how client-side virtualization can improve your organization's performance, while reducing the IT burden of managing and maintaining an increasingly diverse client universe.

Close a Dangerous Vulnerability: Automated Methods for Managing Admin Rights

In this exclusive webcast from Viewfinity, you'll hear how to leverage Group Policy Object settings to close this vulnerability by elevating privileges for standard users.

Comprehensive Server Protection

Secure your servers and your mission critical applications with Application Whitelisting and on-demand antivirus for optimal security with comprehensive and integrated management.

Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter

CIO Leader
CIO Security
CIO Data Center
CIO Enterprise
View all Newsletters | Privacy Policy

IT Jobs »

See All Jobs » Post a job for $295 »

Jobs powered by SimplyHired

White Papers » All White Papers

2011 IOUG Data Security Survey: Databases More at Risk Than Ever