The cyber security firm UpGuard released a report on Monday disclosing leaks of 38 million records from Microsoft’s PowerApps platform. The type of data exposed is highly personal in nature, including vaccination records, social security numbers for job applicants, COVID-19 contact tracing, and millions of email addresses and phone numbers.
UpGuard attributed the leak to a misconfiguration in Microsoft’s PowerApps platform. This platform allows users to create web and mobile applications. The data from such applications is stored within the Microsoft dataverse after the users enable OData (Open Data Protocol). The misconfigured default setting on Microsoft Portal permitted anonymous access to such data. Until the developer manually activated the “Enable Table permissions” option, the anonymous data access continued.
The leak has affected major institutions and companies, like the Indiana Department of Health, New York City public schools, American Airlines and Microsoft. Greg Pollock, UpGuard’s vice president of cyber research described the leak as “wild” and emphasized that it is the responsibility of cloud providers like Microsoft to ensure that default settings are congruent with privacy concerns. Subsequent to UpGuard research, Microsoft reiterated its commitment to data privacy and removed the anomaly by enabling table permissions by default.
The leak comes amidst concerns of misconfigurations causing data leaks. For instance, in 2017, Misconfiguration in Deep Root Analytics database exposed personal information of 198 Million US voters. While a few entities like Google cloud platform, Amazon web service have undertaken steps to ensure apt default settings, the issue has not garnered significant attention until recently.