Microsoft sued for allegedly sharing Office 365 customer data

Hand holding a phone showing Office 365 platform

Microsoft is routinely sharing business customers’ data, including personal and corporate information, with Facebook and other third parties despite publicly claiming it doesn’t, according to a lawsuit.

Although the company claims to keep Office 365 and Microsoft Exchange business customers’ data secure, Microsoft is being sued for allegedly sharing the content of business customers’ emails, documents, contacts, and other information, without their consent.

A lawsuit filed with the US District Court, Northern District of California also claims Microsoft inappropriately uses its business customers’ data to derive insights and develop new products and services which it sells to others.

The class-action lawsuit has accused the company of misrepresenting its privacy and security practices, violating federal and state laws, and illegally sharing customer data with the likes of Facebook, other third-parties, and subcontractors.

“Like a mantra, Microsoft has repeatedly promised business customers that it will use their content and data exclusively to provide them with the purchased services; that, solely for those purposes, it will share their data with its subcontractors and certain others only on a need-to-know basis; and that it will never share the customer’s data with third parties at all,” the lawsuit said.

“In fact, contrary to its representations, Microsoft has regularly shared - and continues to share- its business customers’ data with Facebook and other third parties.

“The details shared even when neither the customers nor their contacts are Facebook users. And, once Facebook obtains the data, harmful consequences can follow, as demonstrated by the data harvesting debacle orchestrated by Cambridge Analytica targeting the 2016 national election, using data obtained by Facebook.”

The information allegedly being shared includes the content of business customers’ emails, documents, contacts, calendars, location data, audio files, and video files, among other forms of data. Those taking legal action are concerned that Microsoft has shared such data with “hundreds of subcontracts” that have since suffered data breaches, in addition to the likes of Facebook app developers.


To encrypt, or not to encrypt: What is the regulation?

Secure compliance with the right mix of technology and information


Also in a violation of public statements, Microsoft has apparently used business data to develop new products and services to sell to others, to glean business intelligence, and to derive general commercial benefit.

Data-sharing with Facebook has garnered particular attention in the lawsuit, particularly given how routinely it finds itself reeling from data breaches and data-sharing complaints. The social media giant, as of last February, was the subject of ten major GDPR investigations, for example.

The lawsuit claims that although Facebook is not necessary to provide Office 365 or Exchange Online services to Microsoft’s business customers, the company routinely and automatically shares its customers’ contacts with the company without consent.

Even if a customer discovers and disables Facebook-sharing, the fact the software shares this data by default from the very start means the damage is done. This is compounded by a Microsoft-written explanation in technical instruction that once contacts are transferred to Facebook, they cannot be deleted from Facebook systems except by Facebook.

Moreover, because Microsoft shares data with Facebook, the lawsuit asserts this customer data is accessible not just by Facebook, but also by whichever entity Facebook shares the data with, and whichever entity those entities share the data with “ad infinitum”.

“We’re aware of the suit and will review it carefully," a Microsoft spokesperson told IT Pro.

"However, while the allegations themselves are not very specific, as we understand them we don’t believe they have merit. We have an established history of both robust privacy protections and transparency, and we’re confident that our use of customer data is consistent with the instructions of our customers and our contractual commitments.”

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.