Misconfigured, a Microsoft software suite made millions of personal data accessible

Thirty-eight million pieces of personal data, including names, addresses, tax or Social Security identifiers, for example from the health services of certain American states and linked to the monitoring of Covid-19, American Airlines, the manufacturer Ford, or even the public transport services of New York, found themselves exposed without any security. This is what a report from the computer security specialist indicates UpGuard. Posted Monday, he points to the use of the software suite Power Apps from Microsoft. These are tools for creating dashboards, applications tailor-made online trades, through portal sites and based on user data. In all, 47 more or less important entities were affected by this gaping breach. According to UpGuard, however, the exposed data would not have been compromised.

No password needed to access data

Concretely, there was no need to password to access this personal data hosted in the form of spreadsheets on Microsoft’s Dataverse service servers. The Access API was just not configured by default by Microsoft to prevent data exposure. This had to be done manually. A subtlety that the developers of these entities have probably not considered. Microsoft responded by pushing an update earlier this month. It applies the correct default security settings.

The firm has also published a tool to perform a security audit on portals made with Power Apps. That said, in its explanations, Microsoft seeks to clear itself by returning the responsibility to its customers who did not correctly configure the services, while adding that it took care to inform them when potential risks of leaks were identified. In the end, it is fortunate that this personal data was not collected by malicious people.