14 DAY TRIAL // In an unexpected data leak, more than 38 million records from 47 organizations using Microsoft's gateway platform Power Apps were accidentally published online, according to The Hacker News.
The unfortunate incident resulted in the leakage of sensitive information on servers of corporations such as Microsoft, J.B. Hunt, and American Airlines along with government agencies from Indiana, Maryland, and New York City.
Power Apps are mostly used for developing custom low-code applications for mobile devices as well as websites. The programs created by Microoft have a number of advantages, such as APIs that allow other applications to access data, templates as well as managing and collecting information and storage.
Key information that went missing:
The misconfiguration of a port could lead to making the stored data public and this is what happened here. In short, data stolen included:
- 332,000 email addresses, employee IDs
- More than 85,000 pieces of data associated with supporting business tools and mixed reality portal
The data was most likely leaked due to a misconfigured portal, feature that has the role of facilitating the sharing and storing data. UpGuard informed Microsoft of the data breach on June 24, 2021, only to have the case ignored and closed.
Nevertheless, when UpGuard share the information with the public on July 15, Microsoft took measures to make the government cloud clients aware of the incident. More precisely, Microsoft developed a Portal Checker tool to examine the risk of improper settings and enforced permissions on all new portals created.
Cybersecuriy researchs from UpGuard notes, "Power Apps portals have options built in for sharing data, but they also have built in data types that are inherently sensitive," adding "The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses".