The consumer site Comparitech, which found the data, said it was accessible on five Elasticsearch servers.
The following data was among the items exposed:
- Customer email addresses;
- IP addresses;
- Descriptions of CSS claims and cases;
- Microsoft support agent emails;
- Case numbers, resolutions, and remarks; and
- Internal notes marked as “confidential”.
In a blog post, Microsoft said it had used wildcards to clear any personal data from the servers. However, those entries that did not conform to the format used were not removed.
"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data," the company's blog post said.
"Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorised access."
Comparitech said it had found the data on 29 December, a day after after it was indexed by the BinaryEdge search engine.
The head of its security research team, Bob Diachenko, applauded Microsoft for acting swiftly to remove access to the data.