Data Leak as Office 365 Admin Center Displays Usage Data from Other Tenants

Office365 secure hero

Oh Look, That’s not Our Data

The danger of making mistakes when changing cloud systems that run at massive scale was demonstrated on Thursday evening (August 3) when the Office 365 Admin Center suddenly started to reveal usage data belonging to other tenants. Reports flooded in from administrators who noticed that the reported email and SharePoint usage for their tenants had spiked enormously When they went to look at the underlying data, they saw that it included users from one or more domains outside their tenant. The leak revealed names and email addresses of those users.

The problem surfaced in multiple Office 365 datacenter regions, including both the U.S. and EMEA.

Microsoft Fixes the Problem

As they worked the problem, Microsoft issued a service health advisory (MO112471 – Figure 1) to tell tenants that usage reports were unavailable. As seen in the notification, Microsoft fixed the problem and had usage reports back online and working properly by 3:35 AM UTC today. Given that this problem happened outside normal working hours (for many), it is possible that you missed it.

UsageReportsProblem
Figure 1: Service advisory for problem with usage reports (image credit: Tony Redmond)

I have many examples of screenshots from tenants showing data from other tenants in their usage reports but will not publish them here for obvious reasons.

The More Important Issue

The service advisory says that a recent code update impacted the accessibility of usage reports. I guess being able to access other tenant’s user data is certainly an impact. However, although it is interesting for tenants to be able to see what people are up to elsewhere, the real problem here might come in the form of regulations like the European GDPR (General Data Protection Regulations), due to go into effect in May 2018.

In this case, Microsoft is the data controller for personal information belonging to Office 365 users. Although it’s unlikely that any great harm would come from someone else knowing that I sent 242 and received 819 messages last week, the regulations are clear that this is a leak. As such, the EU could fine Microsoft up to 4% of its global revenue, which is enough to make your eyes water.

Moving On

No one is going to fine anyone in this case. In the global scheme of things, this is a relatively harmless screw-up that Microsoft fixed quickly. However, it certainly does not help Microsoft when they assert how safe your data is inside their cloud services. Doubtless some will point to this instance as an example of why you should not trust cloud providers with your data. You do also wonder what testing happened before Microsoft introduced this code change into production. But hey, such is the wonder of “evergreen” software.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

Update (August 7): Microsoft sent notes to tenants affected by the issue:

On August 3rd, Microsoft introduced an update to the Activity Reports service in the Office 365 admin center.  This update resulted in a situation affecting a limited number of customers where usage reports of one tenant could be displayed in another tenant’s administrative portal.  At 11:40 PM UTC the same day the Activity Reports services was disabled until the underlying service code issue could be corrected. 

According to our analysis it appears that your user ID was presented usage reporting data of another tenant.  Microsoft has provided notification to affected customers and there is no action required of you.  We’ve confirmed that at no time was your tenant usage data visible to other tenants.  As Microsoft takes customer privacy very seriously we wanted to make you aware of this issue.