It appears that Microsoft is taking European data protection rules somewhat lightly. According to iX magazine, the company transfers personal data to the cloud before customers can even agree to this. The login passwords are also apparently transmitted in plain text instead of salted hash. Something seems to be going wrong. In the Netherlands, data protection authorities are reacting: they are currently investigating whether the use of Office 365 complies with the law.
According to the iX report, Microsoft first transfers a lot of data to Microsoft after installing Office 365. This is so-called telemetry data – i.e. data about the used programs and much more - which is considered personal data by data protectors. However, the corresponding declaration of consent only appears afterwards. According to the European Data Protection Basic Regulation (EU-DSGVO), this is not legally compliant. But that is not all: As soon as you have opened the first Office application, users have to log in with their Office 365 account. The problem: the login password is sent to the company in plain text. Not a trace of a secure Salted Hash transmission can be found. The TLS encryption – i.e. the encryption on the transport route – is rendered much less useful. Especially since there is no more certificate pinning as in earlier Windows updates. Instead, Microsoft now uses a certificate with 14 wildcard domains for software distribution. If only one of these certificates is lost from the distribution server, the entire Office 365 infrastructure is shaken. Due to the opaque certificate process, it is also unclear whether someone can read information because they happen to own one of the certificates.
Another crucial issue that slides along the edge of legality is the fact that Microsoft records everything as soon as you use an Office product and are connected to the Internet - which in practice is nearly all the time. For example, it documents who opened and saved which document when and which templates were used. Here, too, a man-in-the-middle proxy could be used to gain access to all data. Managing directors could come up with ideas to monitor their employees. However, this type of employee monitoring is illegal in Europe.
Anyone who thinks that Microsoft provides sufficient data protection with Office 365 is making a huge mistake. The conclusion, that iX also comes to, can only be as follows: Encrypt your data locally before it leaves the company and is stored in the cloud application. This is possible, for example, with a solution like the eperi Gateway. Not only is all critical data encrypted, but the customer also retains control over the cryptographic keys and the entire encryption process. This allows customers to take advantage of a cloud application like Office 365 without worrying about the security of their sensitive data.