At least 47 organizations inadvertently exposed millions of people’s personal information to the public internet for months by misconfiguring Microsoft software, according to cybersecurity firm UpGuard.
The data leak affected American Airlines, Maryland’s health department, and New York’s Metropolitan Transportation Authority, among others, resulting in employee information as well as data related to COVID-19 vaccinations and contact tracing being exposed, UpGuard said in a report.
The report attributed the leak to a privacy setting in Microsoft Power Apps, low-code tools widely used by public and private entities to share data.
Microsoft said it had fixed the problem and released a tool customers can use to check their Power Apps settings. But according to Wired, the data exposures “show how one bad configuration setting in a popular platform can have far-reaching consequences.”
“Misconfiguration of cloud-based databases has been a serious issue over the years, exposing huge quantities of data to inappropriate access or theft,” Wired noted.
UpGuard said it discovered in May that one organization had exposed its data because by default, a Power Apps privacy setting designed to limit what data a user can see was set to “off.”
Some organizations, such as public health agencies, have used Power Apps to allow members of the public to access details of their own COVID-19 test results or vaccination records.
After finding numerous other examples of similarly unsecured databases on the web, UpGuard reported the issue to Microsoft in June. It said it had notified 47 entities of exposures, for a total of 38 million records across all portals. There may be more organizations that it did not find out about.
“Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey,” said Greg Pollock, UpGuard’s vice president of cyber research. “And we discovered there are tons of these exposed. It was wild.”
Microsoft told CNN that it had modified the software so organizations using Power Apps’ basic templates and design tools will have the privacy setting enabled automatically. Organizations doing more complex or custom development will still need to enable the setting themselves.