Microsoft (MSFT) – Get a free reportA lawsuit has been filed by a security firm that claims it improperly handled a huge database of personal data.
Hold Security LLC, an intelligence firm based near Milwaukee, says Microsoft misused its collection of more than 360 million logins and passwords.
Don’t Miss: Amazon has its own words on concerns about breaches of privacy laws
Hold Security claims that Microsoft breached the contract. The lawsuit was filed in King County Superior Court in Washington state.
“Hold Security LLC’s lawsuit alleged that in 2014 it gave Microsoft access to more than 360 million stolen account credentials — consisting of compromised emails and passwords — for use in protecting Microsoft customers,” according to Law360. However, in subsequent years, Microsoft went beyond the agreed scope of use of the credentials and used the information for its own purposes, including managing Microsoft-owned LinkedIn and Github.
Details of the lawsuit appear
Several years later, after initial access was granted, in early 2021, the Wisconsin company detected the inappropriate use, according to Hold Security.
The complaint alleged, according to Law360, “When Hold’s owner Alex Holden contacted the technology company regarding the discovery, Microsoft refused to adhere to the agreed scope of use.”
“Microsoft continued to use the stolen account credentials that were accessed, whether identical or non-identical, for its own purposes,” the lawsuit states. He said. This use allegedly involved the management of Microsoft-owned LinkedIn and Github.
The complaint said Microsoft and Hold Security agreed in 2015 that Microsoft would match stolen credentials to its users so the software company could notify them that their information had been affected.
According to Law360, “Microsoft has promised to destroy non-Microsoft domain credentials.”
“But Hold alleged that Microsoft defied its promises, including around 2018, when it used stolen account credentials without permission to obtain an updated version of the Active Directory Federation Service, which enables unified identity and access management,” according to Law360. “Unified Identity Management is a system that allows users to associate their electronic identities, allowing a single credential to authorize access across multiple applications.”
Microsoft responds to the complaint
A Microsoft spokesperson made a statement to Law360 regarding the matter.
“Over the past several months, Microsoft has been in contact with Hold Security representatives in an effort to amicably resolve a dispute regarding the contractual relationship between the parties,” the spokesperson said, according to Law360. Because the claims in the lawsuit do not accurately reflect the terms of the contract, Microsoft will seek to dismiss the claims.
“You have been asked to explain assertion that the lawsuit does not accurately reflect the terms of the contract,” Geekwire (a publication that apparently received a similar statement from Microsoft) mentionedDetails will be included in Microsoft’s upcoming motion to dismiss the lawsuit, the spokesperson said.
Law360 available Some additional background information on the dispute.
Hold’s dealings with Microsoft soured around 2020, according to the suit, shortly after the parties renewed their relationship in June 2020 through an Additional Principal Vendor Services Agreement.
The following month, Microsoft representatives sought to purchase historical account credentials — the hold of the sale was “morally and legally incapable” of proceeding given the nature of the information, the suit alleged. This is when Microsoft instead chose to “grab historical data,” Hold said, allowing third parties to use data allegedly captured through the Microsoft Edge web browser.
Microsoft’s Hold alleged that Microsoft also retaliated against him after Alex Holden’s comments in October 2020 to an industry publication that said Microsoft’s efforts to disable “TrickBot” malware were not yet a “decisive victory”. A Microsoft employee directed other employees to stop working with Hold, the lawsuit said, resulting in a “significant loss of business for Hold.”
The complaint alleged that the company again lost business when a Microsoft employee posted “false information about Hold” on Twitter, resulting in Hold losing “a key member of its board of advisors”.
Get exclusive access to proven portfolio managers and investment strategies with Real Money Pro. let’s start.