Microsoft Power Apps platform exposes 38 million confidential records

Leaked data include names, social security details and other personal info used for Covid-19 contact tracing and vaccine appointments

epa07294580 (FILE) - ILLUSTRATION - A person sits in front of a computer screen in Moers, Germany, 04 January 2019 (reissued 19 Jauary 2019). Media reports on 17 January 2019 state that a record with numerous stolen user data has been published on the Internet. The collection named Collection #1 contained almost 773 million different email addresses, more than 21 million different passwords and more than a billion combinations of credentials, according to a Australian IT security expert. Internet users shall be affected worldwide.  EPA/SASCHA STEINBACH

Thousands of apps and portals that use Microsoft’s Power Apps platform mistakenly leaked about 38 million confidential records and left them exposed for months on the open internet, a new report says.

The leaked data included job applicants' social security numbers, employee IDs, millions of names and email addresses as well as personal information used for Covid-19 contact tracing and vaccination appointments, UpGuard said in Monday's report.

Power Apps is a suite of apps, services and connectors as well as a data platform that provides a development environment for building custom applications for businesses.

“This research presents an example of a larger theme, which is how to manage third-party risks [and exposures] posed by platforms that don't slot neatly into vulnerability disclosure programmes as we know them today,” UpGuard said.

The company said it has notified 47 affected entities so far. These include government institutions in Indiana, Maryland and New York City as well as private companies like American Airlines, JB Hunt and Microsoft.

Founded in 2012, Upguard helps businesses manage cybersecurity risk.

Using Power Apps, customers can quickly build customised business apps that connect to their data stored either in the underlying data platform or in various online and on-premises data sources such as SharePoint, Microsoft 365 and Dynamics 365.

Microsoft did not immediately respond to The National's request for comment.

The main Power Apps marketing page lists the ability to access “your data either anonymously or through commercial authentication” as one of the top features.

“Our conversations with the entities we notified suggested the same conclusion … multiple government bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicised as a data security concern before,” UpGuard said in its findings.

It revealed that in cases like compromised registration pages for Covid-19 vaccinations, there are data types that should be public (like the locations of vaccination sites and available appointment times) as well as sensitive data that should be private, like the personal information of the people being vaccinated.

The increase in cyber threats has led to a surge in global spending on cyber security, which is forecast to rise about 125 per cent to $363.05 billion by 2025 from 2019, research consultancy Mordor Intelligence said.

In March, cyber espionage group Hafnium reportedly exploited Microsoft's widely used email and calendar Exchange server, breaching more than 30,000 commercial and local government entities in the US.

Updated: August 23rd 2021, 7:24 PM