In August, dozens of organizations using Microsoft Power Apps inadvertently exposed 38 million records — COVID-19 contact tracing, job applicants’ Social Security numbers, and even 332,000 email addresses and employee IDs used by Microsoft’s own global payroll services.
In addition to Microsoft, other organizations affected included American Airlines; Ford; J.B. Hunt; and agencies in Indiana, Maryland and New York City.
According to researchers at UpGuard, the security firm that discovered the leaks, Microsoft Power Apps portals were easy to set up in such a way as to allow for public access.
“Multiple governmental bodies reported performing security reviews of their apps without identifying this issue,” said the report.
The problem lay in how the system’s application programming interfaces — the APIs — were configured.
“The tools that allow the creation of APIs are defaulted to make the data accessible to the public, and organizations must enable privacy settings manually,” said Radu Crahmaliuc, security specialist at security firm Bitdefender.
Most of them didn’t, he told Data Center Knowledge.