Another day, another data breach.

This time, 38 million records from 1,000+ web apps on Microsoft’s Power Apps portals platform have been exposed online.

The data leaked includes some pretty sensitive data, including:

  • COVID-19 contact tracing records
  • Vaccine registrations
  • Phone numbers
  • Home addresses
  • Social security numbers

According to UpGuard, the organization who uncovered the vulnerability, some of the companies and organizations whose data was exposed include American Airlines, Ford, J.B. Hunt, New York City Public Schools and Municipal Transportation Authority, Maryland and Indiana Departments of Health, and others.

The report stated that the vulnerability has been resolved, and can be found on Microsoft’s Power Apps developer page.

Power Apps is a tool that allows organizations to easily make mobile and web apps, utilizing application programming interfaces (APIs) that allow developers to utilize the data each app collects. Per Engadget, security company UpGuard found that the API made the data public by default, and required a manual change to make it private.

In UpGuard’s report on the data leaks, it’s clear that this is part of a larger issue – one we learned with SolarWinds and Microsoft Exchange earlier this year: Organizations need to find ways to manage third-party risks.

Following a month of research on this possible vulnerability, UpGuard disclosed it to Microsoft on June 24, 2021. Microsoft’s Security Response Center replied to the initial inquiry that the behavior was considered to be “by design.” However, they reconsidered this as UpGuard began to contact some of the more severe cases – namely, American Airlines, J.B. Hunt, and several state and local governments who were heavily affected.

Leave a Reply

Your email address will not be published.

Recent news posts

This is a sample blog post title.
Featured Image

What the Crypto Crash Means for Cyber Crime

This is a sample blog post title.
Featured Image

Scaling, Improving and Automating Your GRC Strategy

This is a sample blog post title.
Featured Image

CISA Issues Emergency Directive 22-03, Encourages VMware Updates

This is a sample blog post title.
Featured Image

Cyber Fraud Task Force: Weekly News Update

This is a sample blog post title.
Featured Image

Cloud Computing, Data Protection Top List of In-Demand Skills: ISACA Annual Report

Attend an Event!

Connect and collaborate with fellow security innovators at our Virtual Cybersecurity Summits.

Register Today