38 million records exposed online
Researchers identified that as many as 38 million records from web apps that use Microsoft Power Apps portals platform were left exposed online. The records include data from covid-19 contact tracing efforts, vaccine registrations, and employee databases, including addresses, telephone numbers, social security numbers, and vaccination status.
Wired claims that data from some large organizations was also exposed in this case. These institutions include American Airlines, Ford, the Indiana Department of Health, and New York City public schools. The vulnerability, however, has been resolved.
Upguard’s Researchers identified this issue in May. According to their analysis, data from many Power Apps portals was available for access instead of being private.
The Power Apps service by Microsoft allows users to make their own web and mobile apps. It provides APIs for developers to be used with the data they collect. However, those APIs make the data public by default, and so manual reconfiguration is required to maintain privacy.
Upon identification, Microsoft claimed that their products offer flexibility and privacy features to customers, allowing them to design scalable solutions that meet their needs. It further added that privacy is a serious concern for them, and they encourage their customers to use best practices while configuring products.
Earlier this month, Microsoft said that when developers will use the APIs, the apps of the Power Apps portals will keep data private by default. Along with this, they also released a tool facilitating the developers to check the settings.
There’s no sign of the exposed data being compromised. Upguard, however, points out that the most critical information that was exposed included 332,000 email addresses and Microsoft employee IDs used for payroll.
Also Read: OT Group faces data security breach
The event is an eye-opener that a misconfiguration, even if it is minor, can lead to severe consequences of data breach. Thankfully here, things took a positive turn. Still, it is advised that developers should cross-check their settings multiple times, especially in the case of plugging in an API that has not been designed by them.