Another day, another data breach.

This time, 38 million records from 1,000+ web apps on Microsoft’s Power Apps portals platform have been exposed online.

The data leaked includes some pretty sensitive data, including:

  • COVID-19 contact tracing records
  • Vaccine registrations
  • Phone numbers
  • Home addresses
  • Social security numbers

According to UpGuard, the organization who uncovered the vulnerability, some of the companies and organizations whose data was exposed include American Airlines, Ford, J.B. Hunt, New York City Public Schools and Municipal Transportation Authority, Maryland and Indiana Departments of Health, and others.

The report stated that the vulnerability has been resolved, and can be found on Microsoft’s Power Apps developer page.

Power Apps is a tool that allows organizations to easily make mobile and web apps, utilizing application programming interfaces (APIs) that allow developers to utilize the data each app collects. Per Engadget, security company UpGuard found that the API made the data public by default, and required a manual change to make it private.

In UpGuard’s report on the data leaks, it’s clear that this is part of a larger issue – one we learned with SolarWinds and Microsoft Exchange earlier this year: Organizations need to find ways to manage third-party risks.

Following a month of research on this possible vulnerability, UpGuard disclosed it to Microsoft on June 24, 2021. Microsoft’s Security Response Center replied to the initial inquiry that the behavior was considered to be “by design.” However, they reconsidered this as UpGuard began to contact some of the more severe cases – namely, American Airlines, J.B. Hunt, and several state and local governments who were heavily affected.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent news posts

This is a sample blog post title.
Featured Image

Assistant to the Special Agent in Charge at USSS-DHS Leads Keynote Presentation in Philadelphia

This is a sample blog post title.
Featured Image

CISA Insights: Risk Considerations for Managed Service Provider Customers

This is a sample blog post title.
Featured Image

Your Weekly DHS/CISA Threat Assessment (September 3)

This is a sample blog post title.
Featured Image

CISA Alert: Ransomware Awareness for Holidays and Weekends

This is a sample blog post title.
Featured Image

Your Weekly DHS/CISA Threat Assessment (September 1)

Attend an Event!

Connect and collaborate with fellow security innovators at our Virtual Cybersecurity Summits.

Register Today