Microsoft suffers ID security lapse

Four consultants with special Microsoft credentials inadvertently release their ID numbers to a magazine, raising new concerns about online security.

2 min read
After learning that the ID numbers of four consultants with special Microsoft credentials had been inadvertently released, the software giant today took steps to correct the mistake. But the episode raised new concerns about online security.

In its February edition, Microsoft Certified Professional Magazine is carrying a salary survey of management information services consultants who carry the coveted Microsoft credentials. But a profile of four consultants also includes their certification numbers.

The number is used to identify Microsoft certified professionals, or MCPs as they are known in the industry, and can be used to gain access to private sections of Microsoft's network, such as its certification and training site, which only recently went online.

Microsoft asked MCP Magazine to remove the numbers on its Web site after NEWS.COM brought the article to its attention, and the publication complied, said Donna Senko, group manager of Microsoft certification and skills assessment. However, it is too late to remove the numbers from print versions of the magazine, which went out last week. Senko said the company took steps to prevent unauthorized users from accessing the private sections of the site.

"We jumped on it right away," said Senko. "We also changed passwords on the accounts. We feel the issue has been resolved." Both Senko and Linda Briggs, editor in chief of MCP Magazine, stressed there was no affiliation between Microsoft and the publication, and added that the four MCPs volunteered their numbers when being interviewed for the story.

While not a major security breach, the episode demonstrates the lack of a clear policy about how to treat the certification numbers. Senko said that the numbers should be kept confidential, but two of the four MCPs whose numbers were revealed in the survey said they were unaware they were supposed to keep the numbers private.

Bill Jeansonne, editor of IT Specialist Magazine and an MCP himself, wrote in an email message that MCPs need to be aware of the risks of their numbers being divulged.

"I think this thing is a big deal and that MCPs should be warned about giving out their IDs so freely," Jeansonne said. "The significance of this is that it can be used to enter a secure Web site for MCPs at Microsoft's own Training and Certification site. In addition, unscrupulous individuals or organizations can also use the ID to gain employment or Microsoft Certified Solution Provider status, respectively, using the ID numbers." He called the episode a gaffe.