Microsoft, Midnight Blizzard, and the revenge of the legacy apps

Hi there,  

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

• 23andMe points the finger at cyberattack victims.
• The tech industry’s lobbying efforts to weaken state privacy laws “bordering on parody”, according to one lawmaker.
• Human error leads to an AI start-up data breach.

But first, how have Microsoft’s legacy apps led to a security breach at the org chart?  

If you only read one thing:  

Microsoft’s legacy applications come back to haunt them

The recent state-sponsored attack on Microsoft should give all companies pause, as they contemplate how one of the world’s largest companies managed to have its highest level punctured thanks to an unnecessary legacy application.

According to Microsoft, a Russian state-sponsored actor (“Midnight Blizzard”, what a name) compromised a legacy, non-production test tenant account in November. From this foothold, the threat actor then accessed a small percentage of corporate email accounts, including members of the executive team and cybersecurity, legal, and other functions, exfiltrating emails and documents.  

Their investigation suggests they were concerned with finding information about Midnight Blizzard itself. Who among us can say they haven’t Googled themselves out of vanity? But the attack itself is chilling.

Microsoft says the attack shows the continued risk posed by actors like Midnight Blizzard, and I don’t disagree with this.

But let’s recap that attack again: a legacy application was all it took for a threat actor to gain access to the emails and documents from the executive team of one of the largest technology companies in the world. Remarkable.

For the average company, such a failure to retire legacy systems represents a substantial risk. If Midnight Blizzard is scary, legacy applications are equally so. And if Microsoft has one of these legacy systems sitting around, the average company has 20.

How much risk do your legacy applications pose?

The term “legacy app” refers to an obsolete app that no longer receives updates, has limited or no ongoing support, but continues to function. Enterprises make extensive use of such apps.

Depending on the company, they may still use the apps in their day-to-day business (though the employees will not relish this!), or they may not use them but keep them “just in case”, or because they need to retain the data in those systems for compliance purposes.

In one survey from 2nd Watch, 80% of respondents said they were running at least one-quarter of their business workloads and applications on-premises, with 52% running more than half of their workloads and applications on-premises.

If any of this rings true for you, it’s time to rethink this approach. It’s time to get your legacy app risk under control by retiring your apps and closing these attack vectors.

If you’re worried about your immediate risk, this SpectorOps analysis of the Microsoft breach contains a step-by-step guide for Azure admins who want to remove these attack paths.

But you really need to remove the apps themselves, while retaining the data you need.

RecordPoint allows organizations to retire legacy applications confidently. The platform enables organizations to understand their structured and unstructured data, and then move the data to be retained into the RecordPoint platform. Once this is done, they can retire the apps and remove the risk, and the ongoing costs.

While Midnight Blizzard may not be targeting your organization, your legacy apps put holes in your cybersecurity defenses. It’s time to remove this threat.

🕵️ Privacy & governance

23andMe is blaming victims of its recent data breach for the attack that compromised their data, saying the former customers—currently pursuing legal action against the genomics company—re-used passwords and failed to update those compromised in a previous breach. Blaming victims is a bold legal strategy that I’m sure will do wonders for user acquisition.

A guide to data privacy laws in 13 US states, from Connecticut to Virginia.

The New Jersey legislator who was the driving force behind a tough new privacy law says the tech industry’s efforts to weaken the law bordered on parody.

EU countries have unanimously approved the AI Act, after a tense negotiating period over the technical details of the “world’s first artificial intelligence rulebook”, and whether it should apply to the more powerful AI models. The law will be subject to a plenary vote in April, with some elements coming into effect 20 days later.

Australia’s Department of Veteran’s Affairs admitted it misled the Information Commissioner about the extent of data transfers in a program that shared the personal medical details of 300,000 service men, women and their families without their express consent.

The Australian federal government has released an interim response to the “Safe and responsible AI in Australia” discussion paper published last year. The government’s focus for now is on a risk-based approach regulatory approach to AI, especially on “high risk” AI and what mandatory AI safeguards are appropriate.

🔐 Security

Cloudflare disclosed a data breach related to stolen Okta data last fall. The nation state threat actor accessed Cloudflare's internal wiki on Atlassian Confluence, its bug database on Atlassian Jira and its source code management system on Atlassian Bitbucket

AI startup Anthropic suffered a data breach, caused by a contractor emailing a file containing customer names and open credit balances to a third party. Human error impacting an AI startup, what are the odds?  

75% of data protection professionals say if authorities were to conduct an on-site investigation at an average company handling user data, they would find “relevant violations”.

US cybersecurity agency CISA gave federal agencies 48 hours to disconnect from US firm Ivanti’s VPN appliances, which were riddled with zero-day exploits currently being exploited by hackers. The hurry was notable given federal agencies are usually given weeks to patch against vulnerabilities.

A Football Australia data breach has meant player contracts, passports and more have been exposed online. According to Cybernews, the governing body “left plain-text Amazon Web Services (AWS) keys – including Secret keys – hardcoded into the HTML page of its subdomain”.

📣 The latest from RecordPoint  

Read:  

This state government agency made extensive use of Salesforce across a wide-ranging portfolio, but needed help to manage this data in place and take records management off employees’ to-do list. Learn how RecordPoint helped it overcome these challenges.

Western Australia is poised to introduce new data privacy laws. If your organization is potentially subject to these regulations, read this analysis to help you prepare your data.

Listen:

FILED Podcast is back for season 2! Our first interview was with privacy researcher Dr Darra Hofman, where we discussed their research into the relationship between privacy and transparency from the perspective of recordkeeping, as well as the vital role records management and information governance plays in privacy, technologies like AI, and why records professionals need to be more involved from the start.

‍