Millions of exposed records caused by misconfigured Power Apps from Microsoft include health related data.
Over a thousand misconfigured web apps have resulted in millions of exposed records. An estimated 38 million records were reportedly exposed online. While there is no evidence that the exposed records were accessed by anyone, investigative research uncovered the fact that these records, which included lots of sensitive personal data, were readily accessible online.
Researchers discovered that the default settings for Power Apps were making data publicly accessible.
Researchers at an organization known as Upguard found one misconfigured app while enabling APIs, and noticed that the settings defaulted to making the data publicly accessible. Upon further inspection, they discovered that thousands more of the apps were similarly misconfigured, leaving the personal records of millions of data subjects available online. These records included phone numbers, home addresses, social security numbers and even COVID-19 vaccination status. This misconfiguration has affected several large companies and organizations, a testament to the far reaching consequences of this manner of incident. Although there is no evidence that these records were accessed by unauthorized persons, this situation is an attestation to the importance of ensuring privacy settings are as they should be, particularly with regard to cloud storage apps.
Misconfiguration is a common issue with cloud based platforms, and many major companies have taken steps to secure privacy.
The exposed data was all stored in Microsoft’s PowerApps portal service, a cloud based development platform that makes it easy to create web or mobile apps for external use. When it comes to cloud based platforms, misconfiguration is a common issue. Many major cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all taken steps to ensure that customers’ data is stored privately by default, and to flag potential misconfigurations, but until fairly recently, the industry as a whole didn’t necessarily prioritize this issue.
Once Microsoft was informed of the issue of misconfiguration on their platform, they took immediate steps to correct it, and to alter their default settings.
Researchers at Upguard, the organization which discovered the misconfigured settings immediately took action. Upguard observed the extent of the exposures and notified as many affected organizations as possible. Due to the sheer reach of the damage, researchers couldn’t get to every entity. They then also disclosed the findings to Microsoft. After being informed of the issue in this instance, Microsoft immediately took steps to correct it. Earlier this month, Microsoft announced that Power Apps portals will now default to storing API data and other information privately. The company has also released a tool that customers can use to check their portal settings on their end.