[strict9]

It appears personal devices were also impacted by this via Microsoft Intune. That app is presented to employees as a way to get their email/slack on their personal device without giving IT systems access to it.

IT systems around the country say that they have no access to your personal data and there they can only block access to Intune apps.

But the linked reddit thread[1] in this article notes personal devices getting wiped and locked out.

[1]: https://www.reddit.com/r/cybersecurity/comments/1rqopq0/stry...

[mjlee]

Bring Your Own Device (BYOD) MDM profiles typically don't allow personal data access outside of their sandbox, but they almost always include remote wipe capabilities.

iOS at least displays a very clear warning when you import the profile telling you exactly what it can do.

Not that this isn't awful, but it's good to be clear on what this can do when used within normal expectations.

[quantified]

Which is why I allow Slack but not Teams or Exchange-based mail on my phone. Give me a company phone if you want me to use Teams.

[stackskipton]

Knowing InTune MDM setup, it has two modes, control a few apps or control entire phone. iOS will tell you during setup what's happening and I've been at plenty of companies where employees are told "It's just for our apps" but it's really full Device Control. $TwoCompaniesAgo tried that "It's just for our applications" but when I went to install it, iOS went "This is 100% full device control" and I rejected it.

[bfrog]

Exactly this. I love Apple tells you it’s a big Trojan in effect that can do anything. Yeah no thanks.

[DANmode]

MDM enrollment has colloquially meant your device could be wiped for the security|incompetency of your firm for quite some time.

[mcoliver]

Intune has two modes. Device registration and User registration. And two kinds of wipes, retire and wipe. Retire means only delete your work profile and is only available for User registration mdm. Sounds like Stryker didn't configure intune properly for byod to force users with personal devices to use User registration.

Beyond that there are so many other things in intune you can use to prevent this sort of thing. Short lived / JIT credentials with MFA, ip restrictions, multi admin approval, rbac (role based fine tuned permissions eg help desk can't wipe, only retire ) etc. sounds like there were some big misses here.

Also sounds like they were in the system long enough to exfiltrate 50+ TB of data without setting off alarm bells.