Tag: Data security

Microsoft informs Azure customers about major vulnerability

31. August 2021

Microsoft notified several thousand customers of its Azure cloud service on Aug. 26, 2021, about a serious security vulnerability that allows unauthorized parties to gain full access to customers’ cloud databases. The vulnerability affects the multi-model NoSQL database CosmosDB, which is one of the cloud service’s key products. Microsoft says it has since closed the gap, but affected customers must take steps themselves to prevent unauthorized access.

As Reuters reports, a research team specializing in security from security firm Wiz discovered the vulnerability in the Azure security infrastructure, which allowed them to gain access to access keys, giving them full access to multiple companies’ databases. The vulnerability was discovered by the researchers on August 9th and reported to Microsoft on August 12th,2021. Wiz later published a blog post explaining the vulnerability. Primary read-write keys allow full access to customer databases. Through a feature called Jupyter Notebook, which was integrated into CosmosDB in 2019, it was possible to gain access to such keys from CosmosDB customers. This made it possible to read, modify and even delete all primary databases. CosmosDB is used by a number of Fortune 500 companies to manage massive amounts of data from around the world in near real-time.

According to Microsoft, the vulnerability was fixed immediately, and no evidence was found that anyone other than Wiz had accessed customer data. Still, Microsoft itself cannot change access keys, so affected customers were emailed on Aug. 26 to change their keys. However, the problem may have affected customers who were not notified. Microsoft has told Wiz that it will pay out $40,000 for reporting the vulnerability.

If you have received a notice from Microsoft and one of your databases is affected that contains personal data, you must assess whether you are required to report this incident to the relevant data protection supervisory authority within 72 hours in accordance with Article 33 of the GDPR. If you believe your organization may be impacted by ChaosDB, please follow the steps described by Wiz in this blog post for detailed instructions on how to protect your environment.

This incident marks the third major security incident involving Microsoft products within 12 months, following the so-called “SolarWinds” hack in December 2020 (please see our blog post) and a large-scale hack of Microsoft Exchange in March 2021 (please see our blog post).

China passes new data security law

15. June 2021

China’s “National People’s Congress”, the Chinese legislative body, approved the new “Data Security Law 2021” on June 10th, 2021 (unofficial English translation here). The new law gives President Xi Jinping the power to shut down or fine tech companies. The law will go into effect on September 1st, 2021.

The law applies to data processing activities and security surveillance within China’s territory. Data processing activities outside China’s territory that threaten China’s national security and public interests are also covered by the law. For international companies, the law means they must localize data in China. For example, data generated in factories in China must be kept in China and be subject to cyber data oversight.

Companies that leak sensitive data abroad or are found “mishandling core state data” can be forced to cease operations, have their licenses revoked, or fined up to 1.6 million US$, and companies who provide electronic information to foreign law enforcement authorities can be fined up to approx. 150.000 US$ or forced to suspend their business.

While the Chinese government is increasing its financial involvement in tech companies it is also producing new legislations to tighten its grip on such companies. The new data law is expected to provide a wide outline for future rules for Internet services and to ease the tracking of valuable data in the interest of national security. This may include directives that certain types of data must be stored and handled locally, as well as requirements for companies to track and report the information they hold.

A personal information protection law is still under review in China.