38 Million Record Data Leak Serves as Reminder to Check All Cloud Database Configuration Settings

Default settings in Microsoft’s Power Apps portal left 38 million records exposed across more than 1,000 web apps, impacting state government agencies, American Airlines, Ford and others. The exposed records varied by organization and web app but included address, phone numbers, COVID-19 vaccination records, employee and applicant databases to include Social Security numbers.

All organizations are aware of threat of data breaches but tend to focus on hacking and unauthorized access to sensitive data. Often, however, data breaches are the result of inadvertent configuration settings or overlooked mistakes. Such is the case with exposed data implicating 38 million records across organizations such as New York City Municipal Transportation Authority and public schools system, the Maryland Department of Health, Ford Motor Company, American Airlines, logistics company J.B. Hunt and many more.

Microsoft’s mobile app development platform, Power Apps, allows organizations to quickly create custom web apps, such as for scheduling an appointment. Default app configuration settings in the Power Apps platform left much of the user provided information exposed, unless the app creator thought to change the default settings.

The type of data exposed varied widely by the apps purpose. Those who applied for jobs with J.B. Hunt had their SSNs exposed. Ford stated that data exposed was low risk. Health departments may have had vaccination appointments and statuses exposed.

Microsoft has since announced that the Power Apps portals now default to storing API data and other information privately. While this lax default configuration setting was a mishap by Microsoft,  the bottom line is this: anytime cloud-based databases are involved, make sure the configuration settings are secure and maintain data privacy. Ultimately it’s up to each organization to ensure this for themselves.

For more information:

38M Records Were Exposed Online—Including Contact-Tracing Info