An incorrect default permission setting exposed personally identifiable information (PII) of more than 30 million U.S. citizens across a few hundred portals, according to cybersecurity researchers.
The UpGuard research team discovered over a thousand lists accessible anonymously on a few hundred portals that included sensitive details such as an individual’s Covid-19 vaccination status, as well as their phone numbers, their home address and social security number (SSN), and more.
Data leaked misconfigured PowerApps portals, which not only allowed public data to be accessed as intended, but also exposed private data without anyone knowing.
“The UpGuard research team can now disclose multiple data breaches resulting from Microsoft PowerApps portals configured to allow public access – a new vector for data exposure,” the researchers say in their leak analysis.
Functionality or configuration error?
The type of information researchers were able to access varied from organization to organization. In total, the researchers managed to admire data from about four dozen entities, including government agencies like Indiana, Maryland, and New York City, and private companies like American Airlines, Ford, JB Hunt, etc.
The researchers believe that the staggering amount of exposure points to a flaw on Microsoft’s part, in that it failed to properly pass the default settings and behavior of the PowerApps platform.
“Our conversations with the entities we notified have suggested the same conclusion: Several government agencies have reported performing security reviews of their applications without identifying this issue, possibly because it has never received enough publicity as a problem. data security concern before, ”the researchers note.
Microsoft initially rejected the UpGuard disclosures because it was “determined that this behavior is considered to be by design.”
However, as UpGuard began to contact affected entities, Microsoft took several steps to help customers avoid inadvertent data leaks. For example, the company has now released a tool to check lists that allow anonymous access and has also changed the default table permissions.