Thirty-eight million records from dozens of organizations, including COVID-19 contact tracing information, were exposed online earlier this year due to a misconfiguration in a Microsoft product, according to research published Monday.
Cybersecurity group UpGuard’s research team detailed in a report that it had notified 47 groups that their data had been exposed. These were government organizations including the Maryland Department of Health, New York City Schools, New York City Municipal Transportation Authority, and the government of the State of Indiana.
Data from private companies was also exposed, including from various other Microsoft groups, Ford, American Airlines, and J.B. Hunt. Data exposed included COVID-19 contact tracing, vaccination appointments, Social Security numbers, employee IDs, and other personal information on millions of individuals.
The exposed data, first discovered by researchers at the end of May, was not compromised, and was the result of configuration on Microsoft’s Power Apps, which allows customers to build data applications for their business needs. The application exposed millions of data points due to them being made publicly available as a result of a configuration in Power Apps that has since been corrected.
“The number of accounts exposing sensitive information, however, indicates that the risk of this feature– the likelihood and impact of its misconfiguration– has not been adequately appreciated,” the researchers wrote in the report.
“Multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicized as a data security concern before,” they noted.
A spokesperson for Microsoft defended the security of its product Monday, emphasizing that the company had worked closely with affected customers to ensure their data was private and that customers were notified if their data was publicly available.
“Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs,” the Microsoft spokesperson said in a statement provided to The Hill. “We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
UpGuard researchers noted in their report that Microsoft had recently released a tool to check Power Apps portals for data exposure, and new portal created through Power Apps will have access permissions turned on by default. They also noted that many of the exposed portals were made private between June and July.
“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” the researchers wrote.
The incident is was the latest security challenge that Microsoft has faced in recent months.
The company announced in May that a Chinese hacking group known as “Hafnium” had been exploiting security flaws in its Exchange Server email application. The vulnerabilities exposed tens of thousands of companies to cyber criminals, and the Biden administration last month formally attributed the breach to hackers affiliated with the Chinese government last month.
Another threat to Microsoft Exchange came to light this past week, with the Cybersecurity and Infrastructure Security Agency issuing an alert Saturday urging organizations to patch vulnerabilities in Microsoft’s ProxyShell.
“New surge in Microsoft Exchange server exploitation underway,” Rob Joyce, the director of cybersecurity at the National Security Agency, tweeted Saturday. “You Must ensure you are patched and monitoring if you are hosting an instance.”