When the Microsoft India Store was hacked earlier this month, the company emailed its customers to assure them that “databases storing credit card details and payment information were not affected during this compromise”. However, it now appears that this is incorrect.
As Wall Street Journal columnist Amit Agarwal writes on his own blog, a new update from Microsoft, which was sent to its customers today, has rather different news:
Further detailed investigation and review of data provided by the website operator revealed that financial information may have been exposed for some Microsoft Store India customers.
Furthermore, the store itself is still down, some two weeks after the incident, suggesting that there are serious problems afoot.
Agarwal claims that Quasar Media, the company responsible for managing the online store, may have held customer data in plain text within the database. If true, it would allow the perpetrators of the attack to gain the information, and serious questions must asked as to why credit card details were not properly secured.
However, Medianama speculates that the hackers may have breached the secure payment gateway, which handles the payment process, or other found other holes in the system.
Microsoft is advising its customers who have used a credit card in the store to contact their provider and let them know the card may have been accessed. Customers are also advised to keep an eye out for any “abnormal activity”, while a helpline has been set up to provide further assistance.
The update is a serious issue for Microsoft. Not only will customers be disappointed at being given false statements, a massive question mark remains around how customer data was secured and why the store remains down.