For months, Microsoft’s Power Apps management portals leaked sensitive data records tied to tens of government entities and private companies totaling the exposure of 38 million personal records, security firm UpGuard revealed.
Microsoft Power Apps are low-code tools to design apps and create public and private web sites.
The exposed info included personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses. The affected entities include state and municipal government bodies in Indiana, Maryland, and New York City, and private companies like American Airlines, Ford, JB Hunt, and Microsoft.
According to the UpGuard Research team, the breach was discovered in May this year when one of its analysts found that the OData API for a Power Apps portal offered anonymously accessible database records that included personal information.
It appears that none of the exposed data has been misused, the researchers said.
UpGuard researchers submitted their report to Microsoft on June 24. Several days later, on June 29, a Microsoft analyst responded by saying that they “determined that this behavior is considered to be by design.”
At the beginning of August, Microsoft announced that the Power Apps portals will now default to storing API data and other information privately.