A Microsoft Power Apps API vulnerability led to more than a thousand web apps accidentally exposing 38 million records online. Since the APIs were defaulted to make data publicly accessible, organizations had to manually enable their privacy settings.
As a result, some customers misconfigured their apps by leaving the insecure default. This led to a number of cybersecurity incidents.
The data leak was discovered by security researchers with UpGuard Research, and notifications were sent out to the IT community and to consumers, as CPO Magazine has reported. The researchers also notified Microsoft’s vulnerability disclosure program and as a result Microsoft has indicated that it has since made changes to the portals to prevent any further leaks.
In the cases where exposed records occurred, these records included data from various COVID-19 contact tracing platforms. In addition, personal data pertaining to vaccination sign-ups, job application portals, and employee databases, such as phone numbers, home addresses, and Social Security numbers were exposed.
Looking into the matter for Digital Journal is Matt Sanders, who is the Director of Security at LogRhythm.
Sanders begins by considering the vulnerabilities that are associated with using third-party platforms and how easily certain things can go awry.
Sanders notes: “This situation is a prime example of just how easily accessible personal data can be if not guarded behind the proper controls. In this case, 38 million personal records were exposed to the public after misconfigured default settings in a development platform were left publicly accessible.”
He is particularly concerned that: “Personally identifiable information (PII), which cannot be changed or updated like you can with a credit card number, such as Social Security numbers, home addresses and COVID-19 vaccination statuses were exposed to anyone who had access to the platform.”
The consequence is, Sanders explains: “This is a great opportunity for threat actors and cybercriminals to easily get ahold of valuable, personal data and use it to their advantage.”
There are, nevertheless, measures that can be taken. Sanders offers: “In order to quickly detect and neutralize security threats such as this one, it is essential for organizations to have the proper controls in place. Detection and response capabilities, authentication and access controls, and real-time monitoring and visibility are crucial to protecting valuable customer data.”
Sanders concludes by making the following recommendation: “Large enterprises must prioritize advanced security controls in order to keep a proper eye on the personal information that is stored in their databases.”