According to a report by Wiz – a cloud security company in America – Microsoft AI researchers accidentally leaked a staggering 38 terabytes of confidential company data on the developer site GitHub. In their recent endeavors, Microsoft recently (2020) announced its artificial intelligence (AI) powered digital assistant named “Copilot”. As this development is experiencing enhancements on a day-to-day basis, Microsoft engineers and researchers are working round the clock to make sure “Copilot” is a success as its main aims are to free up creativity, free up productivity, and sharpen user skills.
The amount of this data spill was extensive and poses a big risk not only to the company Microsoft but the users of Microsoft at large if these data ends up in the wrong hands to say the least. As per the report, the leaked files included a full backup disc of two employees’ workstations, which contained sensitive personal data along with company’s secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. Cyber attack is the biggest fear as the leak could have even made Microsoft’s AI systems vulnerable.
According to Wiz, the mistake was made when Microsoft AI researchers were attempting to publish a bucket of
open-source training material and AI models for image recognition to the developer platform. In the process the researchers miswrote the files’ accompanying SAS token, or the storage URL that establishes file permissions and instead of granting GitHub users access to the downloadable AI material specifically, the butchered token allowed general access to the entire storage account. The grant was not read-only permission but full control access, meaning that anyone who might have wanted to tinker with the many terabytes of data — including that of the AI training material and AI models included in the pile — would have been able to.
The report also noted that the SAS misconfiguration dates back to 2020, meaning that this sensitive material has basically been open-season for several years. Microsoft says that it’s since resolved the issue and there were no customer data was exposed in the leak.