Microsoft accused of disclosing Indian banking information with US intelligence agencies

Indian press reports raise security questions about cloud computing

Banks in India migrated to Office 365 have claimed that sensitive customer data has been shared by Microsoft with US intelligence agencies.

Indian press reports cite a leaked document from the Reserve Bank of India (RBI) which suggested that banks that have migrated to Microsoft Office 365 have had customers information shared with the US, with Microsoft effectively compelled to do so under US law.

According to the report, many banks are aware that Microsoft is information sharing, but that their end users were probably unaware of it.

Banks that have migrated to Microsoft Office 365 have had customers information shared with the US, with Microsoft effectively compelled to do so under US law

A risk assessment report (RAR) has been given to the banks' audit committees for their response.

RBI cited one specific example where: "It was gathered from the Microsoft transparency hub that Microsoft is bound to share customers' data under US Foreign Intelligence Surveillance Act (FISA) and US national security letters as and when required by the US authorities."

RBI found that this was an explicitly arranged deal, and that between 2014 and 2016 Microsoft had received 4,000 requests about Indian customers, and shared information on 3,036 occasions.

Microsoft told Indian site DNA Money: "No government has direct access to any of our users' data. Data privacy is a top priority for us.

"We never provide customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers that we have reviewed and consider legally appropriate and consistent with the rule of law and our Microsoft principles.

We never provide customer data unless we receive a legally valid warrant, order or subpoena about specific accounts

"Absent extraordinary circumstances, in the vast majority of cases we redirect governments to seek data directly from commercial customers or to allow us to tell our commercial customers when the government seeks their data."

Microsoft wouldn't go into the specifics of particular cases, but acknowledges that the data-sharing arrangements do exist.

At present, it's not clear if the banks or Microsoft has a specific case to answer, despite the news coming as a surprise to millions of customers.

IT security failings are, increasingly, costing CISOs, CIOs and CEOs their jobs.

With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security.

For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.