According to a report by cybersecurity firm UpGuard, a Microsoft Power Apps data breach exposed 38 million records including personally identifiable information (PII). The data hack affected 47 companies from a variety of industries, including some government-run public health agencies.
- Recent investigation: An UpGuard researcher identified an anonymously accessible list of data in the Open Data Protocols (OData) API for an organization’s Power Apps site on May 24, 2021. Names, COVID-19 contact tracing information, vaccination appointments, Social Security numbers, employee IDs, and email addresses were among the PII revealed.
- Vulnerability report: One month later, the business sent Microsoft a vulnerability report that included techniques to identify compromised Data streams and URLs for accounts that were exposing data. On June 29, Microsoft declared the case closed. “We determined that this behavior is considered to be by design,” the Microsoft Security Response Center wrote in an email to UpGuard.
- Involvement: American Airlines, Ford, the Maryland Department of Health, the New York City Municipal Transportation Authority and the state of Indiana were among those notified by UpGuard. When UpGuard found some of the most serious vulnerabilities, Microsoft became involved.
- Cloud-based package: Microsoft Power Apps is a cloud-based package of services that allow businesses to build business intelligence apps. Internal and external users can safely access data over a public website using Power Apps portals. Users can store data, create forms for users to fill out, and access data from other applications using APIs.
- Complaint: UpGuard identified weaknesses within Microsoft as well in early July. The firm filed an abuse complaint that included a list of all Power Apps and Microsoft CRM accounts that had Microsoft data. Microsoft’s most serious security breach involves 332,000 email addresses and employee IDs from its global payroll services. Microsoft enabled table permissions by default to avoid vulnerabilities as a result of the inquiry, and also provides customers with a tool to self-diagnose their portals.