UpGuard disclosed its findings on a blog post revealing that apps created on Microsoft’s Power Apps platform had improper permission settings, which led to the massive leak. The data types vary between sources, but include COVID-19 vaccination statuses, Social Security numbers, phone numbers, and millions of full names and email addresses. UpGuard has since notified the 47 different companies and government entities that were affected by the leak. These entities include the Indiana Department of Health, the New York City public school system, American Airlines, and Microsoft. Power Apps is a service and platform that allows customers to make their own apps and offers application programming interfaces (APIs) that allow these organizations to use the data they collect. However, the information obtained through these APIs is made public by default, and unless privacy settings are enabled, anonymous users can freely access this data. Microsoft has implemented two fixes to remedy the problem: table permissions have been made default, and a new tool has been added to help users self-diagnose their apps to find any security flaws. The firm still recommends that Microsoft implement “code changes” to the platform to ensure a data breach doesn’t happen again. UpGuard posted its findings in the hopes that leaders in the tech industry learn from this massive leak and help mitigate future incidents.
