Microsoft inadvertently shares BPOS offline address books with other customers

According to an email I’ve seen, sent to customers of Microsoft BPOS (Business Productivity Online Suite), some users have found their Offline Address Book – an Exchange feature which stores a company’s internal address list – has been downloaded by other BPOS customers:

Microsoft recently became aware that, due to a configuration issue, Offline Address Book information for Business Productivity Online Suite–Standard customers could be inadvertently downloaded by other customers of the service, in a very specific circumstance. The issue was resolved within two hours of identification, and we completed a thorough review of processes to prevent this type of issue from occurring again. Our records indicate that a very small number of downloads actually occurred, and we are working with those few customers to remove the files.

This issue affected only Business Productivity Online Suite–Standard customers; no other Microsoft Online Services were affected.

Big deal? Probably not, especially as customer address lists, which might be useful to competitors, are not normally included in an Offline Address Book.

That said, any leakage of data from one customer to another is a serious issue, as it is exactly this possibility which deters users from using cloud services in the first place. It is an inherent hazard of multi-tenancy.

Still, kudos to Microsoft for owning up.