Guess who got hacked?
In recent articles, we’ve warned that people are the weakest link in your IT security. We’ve also warned that any business is a target. No one is immune.
Tech companies like us are especially cautious because, in order to do our job, we have access not just to our data but also to our customers’ data. That’s why Kinetics has invested in an SOC2 compliant password vault (the highest levels of security), and we’re tracking and auditing access to these. We will shortly be able to extend access to this same password vault to our KARE for Security client so you can have the same levels of security.
Even a huge corporate with extensive controls can be compromised. Microsoft recently got caught, (April 2019) when a Microsoft ‘support agent’ had their credentials compromised. Microsoft have advised industry website ‘TechCrunch” that these were used for three months to gain access to customer information!
It seems that access was limited to the free email services they operate – MSN, Hotmail. Commercial tools like Office 365 were NOT compromised.
“Microsoft recently became aware of an issue involving unauthorized access to some customers’ web-based email accounts by cybercriminals. We addressed this scheme by disabling the compromised credentials to the limited set of targeted accounts, while also blocking the perpetrators’ access. A limited number of consumer accounts were impacted, and we have notified all impacted customers. Out of an abundance of caution, we also increased detection and monitoring to further protect affected accounts.”
If you use these accounts, we recommend you change your password – NOW!
We know that Microsoft take these events seriously and they have extensive systems to protect data. This will be hugely embarrassing to them. We’d just point out that it could have happened to anyone. Under new legislation like GDPR, they are now required to advise you if your data may have been impacted, so we’re likely to see more transparency of these events.
What should you do?
We’ve packaged up what we think are the new ‘reasonable’ steps and called it “KARE for Security”. A large number of our clients have taken this up, and they can take comfort –
but it is vital that all staff are taking security seriously and taking up the training we offer.
Certainly, we think every business needs to consider, at a minimum:
- MFA – Multifactor Authentication
- URL Protection
- Advanced anti-virus, including on phones and tablets
- “Unusual activity” monitoring, especially for cloud tools
- Awareness training – phishing tests, security eLearning and regular inhouse seminars
- Best-practice policies and procedures such as limiting access to the minimum necessary to do work
Above all, protect your passwords. Make sure they are kept secret and not shared with anyone. Most hacks seem to come about from user-ids and passwords being compromised, so make sure you aren’t the one.
Unfortunately, this list will grow and change as the hackers become even more sophisticated.
For what’s it’s worth, the letter from Microsoft to affected users follows:
Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.
We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.
Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).
It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.
If you require further assistance, or have any additional questions or concerns, please feel free to reach out to our Incident Response Team at email@example.com. If you are a citizen of European Union, you may also contact Microsoft’s Data Protection Officer at:
EU Data Protection Officer
Microsoft Ireland Operations Ltd
One Microsoft Place,
South County Business Park,
Leopardstown, Dublin 18, Ireland
Microsoft regrets any inconvenience caused by this issue. Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.