The personal data of 38 million people has been exposed following a breach of Microsoft’s PowerApps. The personal information included COVID vaccination status, names, addresses, among other information.
UpGuard released on Monday an account of a multi-month investigation showing the confidential information was exposed - but not compromised - before the problem was resolved.
"The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses," the report said.
American Airlines, Ford, J.B. Hunt, and communities such as the Maryland Health Authority and New York City public transportation are also among the 47 groups affected.
What is Microsoft PowerApps?
All of them used the software from Microsoft PowerApps, which makes it easy to create websites and mobile applications to interact with the public.
For example, if an institution needs to quickly set up an appointment booking portal for vaccines, the service from the computer giant provides both the public facade and data management.
Customers reminded to change software
Until June 2021, the default software configuration did not adequately protect certain data, the UpGuard researchers said.
"Thanks to our research, Microsoft has since changed the PowerApps portals," they added.
"Our tools help design solutions at scale that meet a wide variety of needs. We take security and privacy seriously, and encourage our customers to configure products to best meet their privacy needs," a spokesperson for Microsoft told AFP.
The company also indicated that it systematically informed its customers when potential leak risks were identified, so that they could remedy them.
But according to UpGuard, it is better to change the software based on how customers use it, rather than seeing the widespread lack of data privacy as a misconfiguration by the users.
"The number of accounts where sensitive information was vulnerable shows that the risk associated with this feature - the probability and impact of a bad configuration - had not been adequately taken into account," they added.