Company data belonging to customers of Microsoft’s hosted business suite BPOS has been accessed and downloaded by other users of the software.
The issue affected the Offline Address Book of customers of the Business Productivity Online Suite (BPOS) Standard suite.
Microsoft confirmed the data breach to Webwereld, a Dutch IDG publication.
“We recently became aware that, due to a configuration issue, Offline Address Book information for Business Productivity Online Suite (BPOS)–Standard customers could be inadvertently downloaded by other customers of the service, in a very specific circumstance,” said Clint Patterson, director of BPOS Communications at Microsoft.
The data breach occurred in Microsoft data centres in North America, Europe and Asia. The issue was resolved within two hours of being discovered, Microsoft said in a statement. However, during this time “a very small number” of illegitimate downloads actually occurred. “We are working with those few customers to remove the files,” Patterson said.
This Offline Address Book contains an organization’s business contact information for employees. It is stored on a server hosted by Microsoft as part of Exchange Online but can be downloaded for offline access. It does not contain Outlook personal contacts, e-mail, documents or other types of information, Microsoft stressed.
Microsoft has notified all Business Productivity Online Suite–Standard partners and customers about the issue.
BPOS includes Exchange Online, SharePoint Online, Office Communications Online and Office Live Meeting. In October, Microsoft outlined the next version of BPOS, called Office 365, intended to be a full-fledged option to Google Apps and other cloud-based suites.
Office 365 combines the collaboration and communication elements of BPOS with Office Web Apps and, alternatively, even with Office 2010.