COVID Vaccine Data, Social Security Numbers …

Another day, another data breach.

This time, 38 million records from 1,000+ web apps on Microsoft’s Power Apps portals platform have been exposed online.

The data leaked includes some pretty sensitive data, including:

• COVID-19 contact tracing records
• Vaccine registrations
• Phone numbers
• Home addresses
• Social security numbers

According to UpGuard, the organization who uncovered the vulnerability, some of the companies and organizations whose data was exposed include American Airlines, Ford, J.B. Hunt, New York City Public Schools and Municipal Transportation Authority, Maryland and Indiana Departments of Health, and others.

The report stated that the vulnerability has been resolved, and can be found on Microsoft’s Power Apps developer page.

Power Apps is a tool that allows organizations to easily make mobile and web apps, utilizing application programming interfaces (APIs) that allow developers to utilize the data each app collects. Per Engadget, security company UpGuard found that the API made the data public by default, and required a manual change to make it private.

In UpGuard’s report on the data leaks, it’s clear that this is part of a larger issue – one we learned with SolarWinds and Microsoft Exchange earlier this year: Organizations need to find ways to manage third-party risks.

Following a month of research on this possible vulnerability, UpGuard disclosed it to Microsoft on June 24, 2021. Microsoft’s Security Response Center replied to the initial inquiry that the behavior was considered to be “by design.” However, they reconsidered this as UpGuard began to contact some of the more severe cases – namely, American Airlines, J.B. Hunt, and several state and local governments who were heavily affected.