The incidents highlight the lack of rules governing the secure handling of law enforcement orders for data, industry experts say. And the recent breach also raises questions about the internal processes some firm follows when providing information to authorities.
Documents posted on Twitter by the Syrian Electronic Army, a collective of hackers and online activists supporting Syrian President Bashar al-Assad, included correspondence between Microsoft’s government compliance team and various law enforcement agencies around the world. The documents contained criminal subpoenas, e-mail addresses of targets and “access keys,” presumably passwords, to the user packages Microsoft makes available to law enforcement.
Other documents obtained by The Washington Post suggest the hackers also were able to access the account information Microsoft provides to law enforcement agencies, which includes the target’s name, location, Internet Protocol or computer address used by the target to sign-up for an e-mail account or to log-in to his e-mail account.
“We have previously stated that Microsoft will not comment on the validity of any stolen e-mails or documents,” said Adrienne Hall, general manager of Microsoft’s Trustworthy Computing Group. “Protecting the security and privacy of our customers continues to be a top priority; with ongoing investment in programs to help make sure our customers feel safe when they do business with us."
Microsoft acknowledged two weeks ago that “a select number of Microsoft employees’ social media and e-mail accounts were subjected to targeted phishing attacks,” which enabled the hackers to gain access to the employees’ e-mail accounts, Hall said in an e-mailed statement. “It appears that documents associated with law enforcement inquiries were stolen."
Microsoft said it is working to strengthen its security, including through employee education.
Lax security around such sensitive material is “a big problem,” said one industry lawyer, whose firm had not authorized him to speak on the record. “For intelligence agencies, it’s a great place to go have a look. It’s one-stop shopping and you can have one look and know what a country is doing.”
In national security matters, where court orders are classified, there are government rules about keeping the data secure and secret. But on the criminal law enforcement side, “there’s no law, no regulation, that you have to keep it secure,” the industry lawyer said.
Last year, The Washington Post reported that a Chinese hack of Google in 2009 targeted not only the firm’s valuable source code, but also its computer files containing U.S. surveillance targets. Similarly, last year the online-magazine CIO.com, reported that Microsoft was breached in the same wave of Chinese attacks and that the hackers were after information on government surveillance targets.
“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,” said Microsoft official David W. Aucsmith, who was speaking at a conference, according to CIO.com.
“We were attacked by the A-team,” he said at the conference, according to a recording provided by CIO.com. “The reason is, of course, that even as a civilian entity, we can have national-security related information, and we will be subjected to the A-team and the best that people have to offer.”
He called it “brilliant counterintelligence.”
The firm last year disputed reports that its servers were breached, saying in a statement that "the so-called ‘Aurora’ attacks did not breach the Microsoft network.’’
In the most recent attack, the hackers got various legal documents such as subpoenas from officials including a Harris County Texas prosecutor, a letter from a Mumbai police inspector, Europol officials, and Brazilian organized crime investigators, seeking information on various targets whose e-mail addresses were listed.
In the Europol case, the communication noted that one of the targets may have been the same individual arrested at John F. Kennedy airport for bank fraud, according to documents reviewed by The Washington Post.
A second industry lawyer, also who was nor authorized to speak publicly, said, “In the absence of legal requirements, the burden is on the companies and the government together to figure out appropriate security measures to keep this very sensitive information from falling into the wrong hands.”
The alternative, he said, is “bad for everybody. It’s bad for the provider. It’s bad for the privacy interests of the target and it’s bad for the government because investigations are potentially compromised.”