Massive Microsoft Power Apps data breach exposes personal details of 38 million people: American Airlines and NYC schools data including social security numbers and vaccination status among information leaked
- Microsoft’s Power Apps have been breached, according to Wired
- The personal data of 38 million people has been exposed
- Data includes COVID vaccination status, social security and phone numbers
- Affected companies include American Airlines, Ford, and NYC public schools
- It was unclear how the breach happened and who was responsible
- Researchers from security firm UpGuard found that the data was public
- They do not believe any of the 38m people have been directly impacted so far
Personal data of 38 million people has been exposed following a breach of Microsoft’s Power Apps.
The data includes social security and phone numbers, COVID vaccination status and home addresses.
Companies affected by the breach include American Airlines, New York City public schools, Ford, the Maryland Department of Health, and the New York City Municipal Transportation Authority.
It was unclear how the breach happened, or who was responsible.
Researchers at cybersecurity firm UpGuard found the breaches in May. They do not think anyone’s data has been fraudulently used, so far. Their findings were made public on Monday.
Microsoft’s Power Apps have been affected by the breach, which saw the data of 38 million people exposed
The exposed data was all stored in Microsoft’s Power Apps portal service, Wired reported.
Power Apps is a development platform that makes it easy to create web or mobile apps for external use.
If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend.
‘We found one of these that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?’ said Greg Pollock, UpGuard’s vice president of cyber research.
‘Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey.
‘And we discovered there are tons of these exposed. It was wild.’
At the beginning of August, Microsoft announced that the Power Apps portals will now default to storing API data and other information privately.
‘Secure default settings matter,’ said Kenn White, director of the Open Crypto Audit Project.
He told Wired: ‘When a pattern emerges in web-facing systems built using a particular technology that continue to be misconfigured, something is very wrong.
‘If developers from diverse industries and technical backgrounds continue to make the same missteps on a platform, the spotlight should be squarely on the builder of that platform.’