24 August 21, 18:36
Quote:For months, Microsoft’s Power Apps portals exposed personal data tied to 38 million records ranging from COVID-19 vaccination status, Social Security numbers and email addresses. Consumers most affected by what is being called a “platform issue” are those doing business with American Airlines, Ford, the Indiana Department of Health and New York City public schools.
Microsoft describes its Power Apps as a “suite of apps, services, and connectors, as well as a data platform, that provides a rapid development environment to build custom apps for your business needs.” The tool is used by developers to build applications that share data locally or with the cloud.
On Monday, UpGuard Research revealed Microsoft’s Power Apps management portal had inadvertently leaked the data of 47 businesses totaling the exposure of 38 million personal records. It asserted that Microsoft’s Power Apps platform was flawed in the way it forced customers to configure their data as private or public. Microsoft does not consider the leaky data issue a vulnerability, rather a configuration issue that can be improved on its part.
Besides data sets previously mentioned, researchers outlined what they found as:
American Airlines: A collection of 398,890 “contact” records, which included full names, job titles, phone numbers, and email addresses. A second “test” collection of data included 470,400 records, which included full names, job titles, phone numbers and email addresses.
Denton County, TX: A total of 632,171 records spilled included vaccination types, appointment dates and times, employee IDs, full names, email addresses, phone numbers, and birth dates. “The list ‘contactVaccinationSet’ had 400,091 records with fields for full names and vaccination types, and ‘contactset’ had 253,844 records with full names and email addresses,” researchers wrote.
J.B. Hunt Transport Services: The transportation logistics firm made public 905,228 records that included customer full names, email addresses, physical addresses and phone numbers. Over a quarter million of the records also included US Social Security numbers.
Microsoft’s own The Global Payroll Services Portal: Researchers found 332,000 records of Microsoft employees and contractors with their @microsoft.com email address, full name and phone numbers that appear to be for personal use.
Read more: Microsoft Spills 38 Million Sensitive Data Records Via Careless Power App Configs | Threatpost