lswcap
38 million personal information related to COVID-19 vaccination records and social security numbers was leaked from the Microsoft Power Apps administration portal site, a tool that enables anyone to create complex applications with natural language coding provided by Microsoft. do.
Microsoft Power Apps is an application service connector suite data platform that provides a fast development environment for building custom applications to meet business needs.
UpGuard, a security platform, discovered that confidential information was leaked from this Microsoft Power Apps management portal site. According to the company, the leaked confidential data includes various types of COVID-19 vaccine reservations, job seeker social security numbers, employee IDs, and millions of combinations of names and email addresses, including 38 million cases from 47 companies using Microsoft Power Apps. Confidential information is said to have been leaked.
Among the data released this time, the ones that contain detailed information are data from American Airlines and Ford, Indiana State Health State, and New York City public schools. Upguard revealed some of the data breaches. According to the report, American Airlines’ personal information list, including name, title, phone number, and email address, was leaked twice, 398,890 the first time, and 470,400 the second time. In Denton County, Texas, 632,171 personal information was leaked, including vaccination-related information, vaccine reservation dates, employee IDs, names, email addresses, phone numbers, and birth data. In addition, personal information of 4091 people, including names and vaccination information, and 253,844 sets of names and email addresses were also leaked. In addition, 95,228 sets of customer names, e-mail addresses, addresses, and phone numbers were leaked from the JB Hunt transmission service, of which more than 250,000 personal information includes social security numbers. The personal information of 332,000 Microsoft employees and contractors, including names, phone numbers and email addresses, was leaked from Microsoft’s paid services.
According to UpGuard, the data breach involves how Microsoft Power Apps is reconciling open data protocols and APIs. For example, some data processed in Microsoft Power Apps should be public and other relevant datasets should be private. Specifically, in the case of a COVID-19 vaccine reservation site, personal information of the person to be vaccinated, which is handled in public, such as the place of vaccination or the available reservation time, should be kept private.
However, Microsoft Power Apps said that some information about civilian ships that should be treated as private was stored in an accessible state. It is pointed out that this is a specification problem that even data handled privately by Microsoft Power Apps can freely access the data if the OData feed is enabled.
In fact, most Microsoft Power Apps users misconfigured their OData settings, leaving confidential information accessible to anyone, leading to this massive data breach.
On the other hand, Microsoft does not think that this data leak is due to a system vulnerability, but rather a configuration problem. To address the issue, Microsoft is releasing a tool to verify that Microsoft Power Apps data hasn’t been leaked, and plans to change the specification to apply data permission settings by default. Related information can be found here.
Add comment