Microsoft accused of sharing data of Office 365 business subscribers with Facebook and its app devs

Because that always ends well

Updated Microsoft is being sued for allegedly sharing its Office 365 customers' business data with Facebook app developers, partners, and subcontractors in violation of its data privacy promises.

The lawsuit was filed in US District Court in San Francisco, on behalf of plaintiffs Frank Russo, Koonan Litigation Consulting, and Sumner Davenport & Associates, all Office 365 customers.

The complaint [PDF] says that – while Microsoft has repeatedly promised its business customers that it would only use their data to provide purchased services, that it would share their data with subcontractors only on a need-to-know basis, and that it will never share their data with third-parties – those claims are false.

Privacy Shield binned after EU court rules transatlantic data protection arrangements 'inadequate'


"In fact, contrary to its representations, Microsoft has regularly shared – and continues to share – its business customers' data with Facebook and other third parties," the complaint says. "The data is shared even when neither the customers nor their contacts are Facebook users."

The complaint contends Microsoft has shared data with hundreds of subcontractors when not necessary for purchased services, and that some of these downstream firms have suffered data breaches. It also claims Microsoft routinely uses business customers' emails, documents, calendars, location data, and media files to develop new products, to gather business intelligence, and otherwise derive commercial benefit.

The trio says that this means Microsoft has violated the US Wiretap Act, the US Stored Communications Act, and consumer protection laws in the State of Washington.

Still, as long as the devs were trustworthy...

In particular, the plaintiffs claim that Microsoft automatically shares customers' business contacts with Facebook, without consent, whether or not the customers or their contacts are Facebook users.

"Even if a customer discovers and disables this Facebook-sharing 'feature' after activating Office 365 or Exchange Online services, the damage has already been done," the complaint says, pointing to the Cambridge Analytica scandal as an example of the potential harm.

"At that point, the business customer’s contacts have been shared with Facebook. As Microsoft explains in an obscure technical instruction, '[o]nce contacts are transferred to Facebook, they cannot be deleted from Facebook's systems except by Facebook.'"

As a result, business customers' data can be accessed not just by Facebook, "but also by whomever Facebook shares the data with, and whomever those entities decide to share the data with, ad infinitum."

Chain of data command

Then there's the issue of third-party developers. The complaint says that "even if a business customer did not download a third-party application (and thus did not consent to sharing its data with the third-party), Microsoft nonetheless transmits the non-consenting business customer’s data to third-party developers if another Office 365 user consented to the application."

The lawsuit insists Microsoft's claims that it abides by System and Organization Controls (SOC 1 and SOC 2) standards are false, pointing to the company's own documentation stating that Microsoft Graph does not comply with SOC 1 or SOC 2.

"Because Microsoft’s Graph automatically gathers all business customers’ Office 365 and Exchange Online data, and Graph does not comply with SOC standards, Microsoft’s handling and use of business customers’ Office 365 and Exchange Online data also does not comply with SOC standards," the complaint says.

The lawsuit is seeking class certification on behalf of Microsoft's non-governmental business customers and damages to be determined.

Microsoft did not immediately respond to a request for comment at time of publication. ®

Updated to add

“We’re aware of the suit and will review it carefully,” a Microsoft spokesperson told The Register after this story was filed.

“However, while the allegations themselves are not very specific, as we understand them we don’t believe they have merit. We have an established history of both robust privacy protections and transparency, and we’re confident that our use of customer data is consistent with the instructions of our customers and our contractual commitments.”

Send us news

Azure issues not adequately fixed for months, complain bug hunters

Redmond kicks off Patch Tuesday with a months-old flaw fix

Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

Continue reading

Brave roasts DuckDuckGo over Bing privacy exception

Search biz hits back at 'misleading' claims, saga lifts lid on Microsoft's web tracking advice

Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.

Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.

"For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

Continue reading

Microsoft continues cyber security spending spree with Miburo buy

Brains to be added to the Customer Security and Trust in defense against 'foreign adversaries'

Microsoft has opened its wallet once more to pick up New York-based cyber-threat analyst Miburo.

Founded by Clint Watts in 2011, Miburo is all about the detection of and response to foreign (in the context of the US) information operations. The team is to be folded into Microsoft's Customer Security and Trust organization and the work of its analysts is to be fed into the Windows giants' threat detection and analysis capabilities.

"Miburo," said Microsoft, "has become a leading expert in identification of foreign information operations." Its research teams have hunted out some nasty influence campaigns over 16 languages.

Continue reading

Microsoft fixes under-attack Windows zero-day Follina

Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

Continue reading

Cisco warns of security holes in its security appliances

Bugs potentially useful for rogue insiders, admin account hijackers

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

Continue reading

Microsoft Defender goes cross-platform for the masses

Redmond's security brand extended to multiple devices without stomping on other solutions

Microsoft is extending the Defender brand with a version aimed at families and individuals.

"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

Continue reading

Wi-Fi hotspots and Windows on Arm broken by Microsoft's latest patches

Only way to resolve is a rollback – but update included security fixes

Updated Microsoft's latest set of Windows patches are causing problems for users.

Windows 10 and 11 are affected, with both experiencing similar issues (although the latter seems to be suffering a little more).

KB5014697, released on June 14 for Windows 11, addresses a number of issues, but the known issues list has also been growing. Some .NET Framework 3.5 apps might fail to open (if using Windows Communication Foundation or Windows Workflow component) and the Wi-Fi hotspot features appears broken.

Continue reading

1Password's Insights tool to help admins monitor users' security practices

Find the clown who chose 'password' as a password and make things right

1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

Continue reading

Supply chain attacks will get worse: Microsoft Security Response Center boss

Do you know all of your software dependencies? Spoiler alert: hardly anybody is on top of it

RSA Conference Major supply-chain attacks of recent years – we're talking about SolarWinds, Kaseya and Log4j to name a few – are "just the tip of the iceberg at this point," according to Aanchal Gupta, who leads Microsoft's Security Response Center.

"All of those have been big," she said, in an interview with The Register at RSA Conference. "But I feel they will continue and there will be more. And there's a reason I think that."

As the head of MSRC, Gupta has a unique vantage point. Her view spans all of Microsoft's products and services, as well as visibility across industry partners' software and tools plus customers' environments including government agencies. 

Continue reading

OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw

Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

Continue reading