Microsoft says it has plugged a security hole in its own Web site that let virtually any user access a large amount of its private data about customer transactions and other confidential information. The hole involved an internal sales database that was mistakenly connected to the site's search functionality, letting anyone with a Web browser and the right know-how view customer service records. A security expert found the hole and notified Microsoft immediately.
"We were notified of this, we fixed the problem, and we're reviewing our internal systems to make sure proper procedures are followed to make sure this doesn't happen again," a Microsoft representative said. "This was a case of human error, and we will remain vigilant in our efforts to protect customer information and will not accept any breakdowns or failures in this process."
The hole revealed information about customers who had purchased Microsoft products directly from the company, exposing customer names and shipping information, as well as phone numbers and email addresses, although no credit card numbers were exposed. Adrian Lamo, the security expert who discovered the information, performed a similar hack on Yahoo!'s site last month, when he succeeded in breaking into the site and changing news stories.