Yes, I wouldn't expect to find much rigor at Cousin Ricky's house of email. This is Hotmail. They don't have any excuses. They handle a ton of email for a lot of people, people depend on them, and they are a big target.
If this was a specially privileged superuser account, it should have had more attention paid to it. Yes, it's hard to scale audits or monitoring to the entire customer support org. But if you only have three people that can actually read people's emails, you can certainly audit just their use.
If it's not a specially privileged superuser, then every random helpdesk account can read everything from everyone. This does not inspire confidence.
And even skipping all the complex systems that should have been in place for a system the size of Hotmail: Why did this account not have 2FA? This is basic stuff.
> Yes, I wouldn't expect to find much rigor at Cousin Ricky's house of email. This is Hotmail. They don't have any excuses.
It's consumer Hotmail. From Microsoft’s perspective, that is probably excuse enough.
Of course, I've seen pretty bad things in large HIPAA covered entities with systems with PHI; insufficient security and accountability of support accounts and recovery processes is found lots of places.
If this was a specially privileged superuser account, it should have had more attention paid to it. Yes, it's hard to scale audits or monitoring to the entire customer support org. But if you only have three people that can actually read people's emails, you can certainly audit just their use.
If it's not a specially privileged superuser, then every random helpdesk account can read everything from everyone. This does not inspire confidence.
And even skipping all the complex systems that should have been in place for a system the size of Hotmail: Why did this account not have 2FA? This is basic stuff.