A Microsoft public server carrying millions of customer details and
other internal documents was taken offline and secured last
Tuesday, shortly after the company discovered its mistake.
The unsecured FTP server was intended to allow customers to
download patches and fixes and upload files for analysis by
Microsoft technical support staff.
Marketing staff at the company evidently mistook it for an internal
server and have been storing confidential details and other
documents, unaware that these could be accessed from the
Internet.
It is estimated that 18 million addresses were contained in two
compressed, password-protected files, but the protection could
readily be cracked using simple tools that are available on the
Web.
A spokesman said the company is investigating a potential policy
breach because the server was not designated as a secure resource
and storing sensitive information was prohibited.
Chris Wysopal, director of research and development for digital
security specialist @Stake, said ensuring that people observe
security policies is crucial. "Companies need enforceable policies.
A bank is much more than just a vault - it is people following
approved processes."
The discovery of such a blatant flouting of security policy is
being seen as a blow to Microsoft's attempts to establish itself as
a security-conscious organisation through its Trustworthy Computing
initiative launched last January.
Since then it has issued 65 security bulletins, primarily fixes for
buffer overruns, and held up the release of several products to try
to change the perception of its products as being buggy and
insecure.