Microsoft India is now backtracking on what could prove to be a major security breech. The Chinese group Evil Shadow Team reportedly hacked Microsoft India’s retail website earlier this month. At the time of the report Microsoft sent emails to its users claiming “databases storing credit card details and payment information were not affected during the compromise.” It appears now, that is not the case.
In an email form Microsoft India General Manager Chakrapani Gollapali to its users, Microsoft states that “review of data provided by the website operator revealed that financial information may have been exposed for some Microsoft Store India customers.”
Chakrapani goes on to suggest all Microsoft Store India users closely monitor their credit card accounts: “if you used a credit card on the Microsoft Store India website, we recommend the following actions: Contact your credit card provider and alert them to potential unauthorized access to your account information. Closely monitor and review your credit card account for abnormal activity, and if seen, immediately contact your credit card provider.”
Since the hacks, Microsoft and its Indian e-solutions provider Quasar has come under fire for its lack-luster data security practices. The Microsoft Store was accused of storing data and passwords in plain text, without the basic encryption that is standard today. Now, it appears, they were also storing credit card information, which is normally exchanged over a secure payment gateway.
It is odd that Microsoft would store passwords and other customer information as plain text given the number of hacks this year and the ready availability of encryption solutions on the market. Solutions that Microsoft itself provides in the form of EFS (Encrypting File System) and BitLocker. In today’s climate, this sort of security breech comes off as willful negligence on the part of Microsoft, showing little regard for their customers financial protection.
The Microsoft Store India site (www.microsoftstore.co.in) is still down following the attacks on Feb. 12th. The hackers released screenshots of their work but obscured full usernames and passwords. On the blog (ps.s.blog.163.com) Evil Shadow Team member 7z1 describes himself as a “patriotic hacker.”