BPOS: a data leak in Microsoft’s cloud

December 28th, 2010 - 09:10 am ET by J. G.

A configuration error in Microsoft’s Business Productivity Online Suite exposed clients information.

Microsoft’s BPOS is an online service for businesses. It is currently evolving towards Office 365 which is based around the use of SharePoint Online, Exchange Online and Lync Online for unified communication within the cloud.

Even if the march towards cloud computing today seems to be unrelenting, it is stories like this one which send chills down the spine, and should certainly lead to some thinking. An internal configuration error on Exchange doesn’t have the same consequences when it is on shared infrastructure located in the cloud.

Microsoft last week informed their clients that due to a configuration problem with the Offline Address Book function in BPOS, information could be inadvertently downloaded by other clients. Microsoft spoke about very specific circumstances where this could occur, and the issue was resolved ten hours after it was discovered… except they didn’t specify how long this issue existed.

The offline address book is a copy of enterprise addresses which users can access when disconnected from BPOS. Personal contacts, emails, documents and other items in Outlook were fortunately not affected.

The problem occurred in the data centres in North America, Europe and Asia. Thanks to data tracking, Microsoft was able to warn clients who downloaded data which was not their own, and requested that they delete the files. The software giant claimed that there was a "very small number" of downloads.

Microsoft seems to be reassured about their systems, but this misadventure certainly highlights the risks with cloud computing. Numerous observers have taken this news as an opportunity to question companies which are attempting to move fully into the cloud.

LeMondeInformatique.fr cites three events which threaten data security when hosted by a Cloud provider: "poor configuration or bugs in the cloud service software; the theft of information by hackers; employees negligent with confidential information."