Microsoft puts address lists on insecure server

A Microsoft public server carrying millions of customer details and other internal documents was taken offline and secured last...

A Microsoft public server carrying millions of customer details and other internal documents was taken offline and secured last Tuesday, shortly after the company discovered its mistake.

The unsecured FTP server was intended to allow customers to download patches and fixes and upload files for analysis by Microsoft technical support staff.

Marketing staff at the company evidently mistook it for an internal server and have been storing confidential details and other documents, unaware that these could be accessed from the Internet.

It is estimated that 18 million addresses were contained in two compressed, password-protected files, but the protection could readily be cracked using simple tools that are available on the Web.

A spokesman said the company is investigating a potential policy breach because the server was not designated as a secure resource and storing sensitive information was prohibited.

Chris Wysopal, director of research and development for digital security specialist @Stake, said ensuring that people observe security policies is crucial. "Companies need enforceable policies. A bank is much more than just a vault - it is people following approved processes."

The discovery of such a blatant flouting of security policy is being seen as a blow to Microsoft's attempts to establish itself as a security-conscious organisation through its Trustworthy Computing initiative launched last January.

Since then it has issued 65 security bulletins, primarily fixes for buffer overruns, and held up the release of several products to try to change the perception of its products as being buggy and insecure.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.




  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...