Data leak exposed 38 million records, including COVID-19 vaccination statuses


Around 38 million records from north of a thousand web apps that use Microsoft’s Power Apps platform were left exposed online, according to researchers. The records are said to have included data from COVID-19 contact tracing efforts, vaccine registrations and employee databases, such as home addresses, phone numbers, social security numbers and vaccination status.

Data from some large companies and institutions was exposed in the incident, according to Wired, including American Airlines, Ford, the Indiana Department of Health and New York City public schools. The vulnerability has mostly been resolved.

Researchers from security company Upguard started looking into the issue in May. They found data from many Power Apps that was supposed to be private was available for anyone to access if they knew where to look. 

The Power Apps service aims to make it easy for customers to make their own web and mobile apps. It offers application programming interfaces (APIs) for developers to use with the data they collect. However, Upguard found that using those APIs makes the data obtained through Power Apps public by default, and manual reconfiguration was required to keep the information private.

Upguard says it sent a vulnerability report to the Microsoft Security Resource Center on June 24th, including links to Power Apps accounts on which sensitive data was exposed and steps to identify APIs that enabled anonymous access to data. Researchers worked with Microsoft to clarify how to reproduce the issue. However, an Microsoft analyst told the firm on June 29th that the case was closed and they “determined that this behavior is considered to be by design.”

Upguard then started notifying some of the affected companies and organizations, which moved to lock down their data. It raised an abuse report with Microsoft on July 15th. By July 19th, the company says that most of the data from the Power Apps in question, including the most sensitive information, had been made private. Engadget has contacted Microsoft for comment.

Earlier this month, Microsoft said Power Apps will keep data private by default when developers harness the APIs. In addition, it released a tool for developers to check their Power Apps settings.

There’s no indication as yet that any of the exposed data has been compromised. Among the most sensitive information that was left in the open were 332,000 email addresses and Microsoft employee IDs that are used for payroll, according to Upguard. The company also says that more than 39,000 records from portals related to Microsoft Mixed Reality were exposed, including users’ names and email addresses.

The incident underscores the fact that a misconfiguration, no matter how seemingly minor, could lead to serious data breaches. That doesn’t appear to be the case here, thankfully. Still, it goes to show that developers should probably triple check their settings, especially when plugging in an API they haven’t designed themselves.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Leave a Reply

Your email address will not be published. Required fields are marked *