More than 1,000 applications hosted on Microsoft Power Apps accidentally exposed 38 million records of people using them. Large companies are involved in the case, alert digital security professionals at UpGuard.
According to the team leading the discovery, the big tech tool, in addition to managing databases for the development of new features and offering programming bases, provides ready-made interfaces. However, when activating such APIs, contractors did not realize that public access to the information they were dealing with was standard and that privacy had to be activated manually.
As a result, from telephone numbers and home addresses to social security numbers and vaccination status could be accessed by third parties, depending on the organization. American Airlines, Ford, J.B. Hunt, Maryland Department of Health, Metropolitan Transportation Authority (MTA) and New York Public Schools have fallen into the “trap”.
In fact, not even some applications created by Microsoft were left out. “We found an example and until then we had not had contact with anything like that. So we questioned whether it was an isolated fact or a systemic problem. We found the existence of ‘tons’ of similar situations. It was absurd,” said Greg Pollock, deputy president of cyber research at UpGuard, to Wired.
Among the solutions evaluated in early May were platforms aimed at tracking covid-19, vaccination applications, job application portals and employee databases. In any case, the scientists point out, even if robust institutions have been affected, the data only concern what was integrated in the apps, not everything they eventually had.
Initially, the teams tried to contact the companies, but chose to notify Microsoft due to the expressiveness of the failure, which made isolated action unfeasible. Big tech, meanwhile, announced a configuration change in early August, enabling private information storage and management by default, and released a verification tool for anyone interested.
Finally, there is no evidence of compromised records and most apps are already secure, says Pollock, who explains the motivation to make everything public only now: “We felt we had an ethical duty to protect at least the most sensitive data before it we can talk about systemic issues.”