HolidayBuyer's Guide

Microsoft closes window to customer data

The company closes a security gap in its customer service Web site that let anyone with a browser view customers' sales records and other confidential information.

Microsoft moved swiftly this week to close a security gap in its customer service Web site that let anyone with a browser view customers' sales records and other confidential information.

The software giant had left a search database exposed without security protections. The address of the customer service page was unpublished, but by altering the numerical IP (Internet Protocol) addresses of known Microsoft Web sites, a security enthusiast located it and found himself with access to an unknown number of customer service records.

Each exposed record included the customer's name, purchasing history, shipping address, billing address, phone numbers, e-mail address and credit card type. It did not include the actual credit card number.

"We were notified of this, we fixed the problem, and we're reviewing our internal systems to make sure proper procedures are followed to make sure this doesn't happen again," Microsoft representative Jim Desler said Wednesday. "This was a case of human error, and we will remain vigilant in our efforts to protect customer information and will not accept any breakdowns or failures in this process."

Adrian Lamo, who discovered the unprotected page, has exposed other embarrassing security gaffes by Internet giants. Last month, Lamo succeeded in breaking into Yahoo's news production tools and altering news stories. Prior to that, Excite@Home credited him with helping them shore up their customer records, which had been vulnerable to exposure.

Lamo said Microsoft fixed the hole within an hour of notification by news Web site NewsBytes.

Close
Drag