Understanding the Complexities of Microsoft’s Data Privacy Policy and the Alarming Privacy-related Developments.
In the current tech- and data-dominated era, our personal information is scattered all around the vast expanse of the Internet. As our reliance on digital means of communication, , and beyond grows, it becomes increasingly important to understand how companies handle our personal and private data.
Is the security of our data truly as assured as we perceive it to be?
Despite companies expressing clear intentions for secure data handling, the practical application of these intentions within the digital landscape encounters numerous challenges. Microsoft, as one of the giants of the tech industry, naturally comes to attention.
Exploring the practices of this industry leader not only reveals its impact on our digital lives but also raises a question about the level of trust we place in Microsoft and its commitment to keeping our data safe.
Microsoft’s Data Practices: Privacy Statement and User Consent
Founded in 1975 by Bill Gates and Paul Allen, Microsoft has evolved into one of the largest and most influential tech companies globally, with Microsoft Office’s suite software being used by more than 1.2 billion people worldwide; from a real-life perspective, that is about every seventh person on the planet.
From Windows operating systems to Office productivity software, Microsoft’s products cover various aspects of our digital lives. In fact, with over 50 diverse product offerings, ranging from email servers and online meetings software to streaming services and presentation-making apps, Microsoft has become an integral part of our daily digital experiences.
Given the extensive range of products and their inherent value, a considerable number of users often overlook a crucial aspect – the security of their data once entrusted to Microsoft.
Consider, for example, whether you have reviewed the terms and conditions before consenting to the use of Microsoft-offered services. If not, you are not alone.
According to a survey conducted by Deloitte, a surprising 91% of individuals agree to legal terms and conditions without looking into the details. Even more so, among the younger people aged 18-34, an astonishing 97% of individuals agree to the conditions before even reading them.
For those who have yet to explore Microsoft’s privacy statement, it is imperative to consider some key insights. Foremost among these is the disclosure that:
“Microsoft collects data from you, through our interactions with you and through our products. You provide some of this data directly, and we obtain some of it by collecting data about your interactions, use, and experiences with our products.”
Additionally, Microsoft gathers data about users from third-party sources; in fact, not only gathers but also shares the data with a vast data repository of 772 external parties, as made apparent in the new Outlook update. The question you might have: Can I opt out of this extensive data collection? The straightforward answer is yes; one can manually go and opt out of some of the privacy consents that they find unnecessary. However, it is essential to note that not all personal data processed by Microsoft can be accessed or controlled through the opt-out page or data privacy dashboard. Should users wish to manage data that is not available via these tools, they would have to contact Microsoft directly.
The reality, however, is that the majority of users are unlikely to undertake this long process “only” to ensure the safety of their data.
Microsoft’s Privacy: Understanding the Complexities
Some may argue that the data privacy statement alone is insufficient grounds to distrust Microsoft with personal and private data. Some may even say that there remains a hopeful perspective that Microsoft manages the information it collects and stores responsibly, preventing it from falling into the wrong hands.
However, last summer’s DDoS attack on Microsoft, allegedly resulting in the theft of data of 30 million customer accounts, compels one to reconsider. Despite Microsoft’s assurance that no theft occurred, the statement from Anonymous Sudan, the hacktivist group supposedly behind the DDoS attack, claiming the sale of the entire customer accounts database, along with potential ties to Russian hacker groups, raises legitimate concerns.
This leads to a fundamental question: Is Microsoft truly the secure destination we seek for our data?
DDoS Attack on Microsoft, June 2023
In June 2023, Microsoft fell victim to the most high-profile distributed denial-of-service (DDoS) attack. The attack was marked by surges in traffic resilting in limited (or no) availability of certain services. The cause of this disruption was caused by what Microsoft’s opposing groups refer to as “Storm-1359” – a threat actor associated with the notorious hacker group, Anonymous Sudan.
The hacker group claims to have breached Microsoft’s servers and to have stolen credentials for 30 million customer accounts, gaining access to accounts, emails, and passwords. They then offered to sell this database for $50,000, encouraging potential buyers to purchase stolen data via their Telegram bot.
Anonymous Sudan had already made its mark with a series of DDoS attacks targeting entities in Sweden, Denmark, the United States, Australia, and other nations since early 2023. Even though claimed to be originally based in Sudan, threat researchers identify potential logistical and ideological ties to Russia.
The complexity increases when considering that Anonymous Sudan may have utilized a botnet, a network of computers infected by malware, operated by Zarya Legion, a pro-Russian hacktivist group, for their June 2023 DDoS attack. It has been postulated that Zarya Legion sought revenge against Microsoft for shutting down the Zloader botnet, an entity allegedly associated with them.
Zarya Legion, before becoming its own entity, operated as a special forces unit under the command of Killnet – a Russia-aligned hacktivist group that gained prominence during the Russia-Ukraine war; Killnet, in turn, is believed to have collaborated with both Anonymous Sudan and XakNet, a group assessed to coordinate with Russian Main Intelligence Directorate (GRU)-sponsored cyber threat actors, all creating a complex network of interlinked hacktivist organizations.
With Anonymous Sudan positioned at the forefront of this discovered chain of hacktivist groups, it becomes challenging to imagine any of these entities as secure repositories of where your data could have ended up, should Anonymous Sudan’s statement be true.
Microsoft’s Response to the DDoS Attack, June 2023
Despite admitting the occurrence of an attack, Microsoft denied the claims made by Anonymous Sudan, and stated that they “have seen no evidence that customer data has been accessed or compromised”.
In response, Microsoft issued recommendations for users on how to mitigate the impact of layer 7 DDoS attacks, advising them to utilize layer 7 protection services such as Azure Web Application Firewall (WAF), accessible through Azure Front Door and Azure Application Gateway, specifically developed to protect web applications.
While Microsoft’s advice to users appears reasonable, implementing it with Azure is not as straightforward. Microsoft’s Azure Web Application Firewall (WAF) is a security service embedded within the Microsoft Azure cloud platform. Azure, an extensive cloud computing platform, encompasses a diverse array of services, spanning computing power, storage, databases, networking, and security services.
Unsecured Azure Storage: Data Leak, September 2023
Since July 2020, the Microsoft AI research division inadvertently exposed a substantial amount of sensitive data, totaling 38 terabytes. The leak included a disk backup of two employees’ workstations, containing confidential information such as secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. This occurred while the division was contributing to open-source AI learning models on a public GitHub repository.
As stated by BleepingComputer, the revelation came almost three years later, in 2023, when cloud security firm Wiz uncovered the incident. Security researchers from Wiz found that a Microsoft employee unintentionally shared the URL for a misconfigured Azure Blob storage bucket with the leaked information. It was discovered that Microsoft researchers had used an Azure feature called SAS tokens to share their files. While SAS tokens typically allow the sharing of specific files, in this instance, the link was configured to share the entire storage account, exposing an additional 38 terabytes of private files.
As mentioned by Wiz, this incident highlights a new risk faced by organizations, especially in the field of AI research, where large datasets are crucial for training models. As data scientists and engineers rush to develop new AI solutions, “the massive amounts of data they handle require enhanced security measures and safeguards,” Wiz CTO & Cofounder Ami Luttwak told BleepingComputer.
In response to the discovery, the Microsoft Security Response Centre (MSRC) team issued an advisory, assuring that no customer data was exposed, and no other internal services were compromised as a result of this incident.
Is it not paradoxical that in an effort to mitigate a DDoS attack, the users are directed towards a solution embedded within a platform that seems to be inherently compromised? Moreover, even though Microsoft once again denied any compromise of user data, the frequency of such statements prompts some doubt, doesn’t it?
Microsoft Outlook Update and Subsequent Privacy Concerns, November 2023
Finally, let’s consider a scenario where your usage of Microsoft products and services is limited to Microsoft Outlook (for email communications) only. How impactful could this choice of email provider be? Unfortunately, with the newest Outlook update, quite impactful.
As mentioned by StartMail, the latest version of Outlook has a security flaw that could lead to the unintentional sharing of your SMTP (Simple Mail Transfer Protocol) and IMAP (Internet Message Access Protocol), as well as all of your emails, with Microsoft’s servers when you add a new account.
The issue was first discovered by Heise.de and means that by adding a new account, you give Microsoft access to read and analyze every email you send and receive. Even though you can go to the earlier version of the app anytime, the data would have already been stored and synchronized.
How Can You Protect Your Data
The decision of whether or not to trust Microsoft with your data and designate it as the repository for your most personal and private information is entirely yours to make. However, if you find yourself exploring alternative options, vBoxx welcomes the opportunity to show you the products and services that we offer.
vBoxx, being hosted in the Netherlands, is a GDPR-compliant solution for your data storage, sharing, and beyond. Committed to safeguarding privacy and ensuring security in every online interaction, vBoxx shapes a digital landscape grounded in trust. With a secure hosting hub, reliable cloud services, and a trusted password manager, vBoxx serves as your one-stop destination for digital productivity and security solutions. Rest assured, vBoxx upholds a strict commitment to privacy, ensuring that your data is not sold, shared with third parties, or used for non-intended purposes.
Interested? Feel free to reach out through our contact page or give us a call! We’re eager to introduce you to a realm of complete digital privacy and security.
