©2021 Reporters Post24. All Rights Reserved.
THE personal records of 38million people were accidentally leaked on the open internet due to a flaw in more than a thousand Microsoft web apps, according to reports.
American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools were among the companies and organizations affected by the mistake.
Sensitive information revealed included people’s phone numbers, home addresses, social security numbers, and Covid-19 vaccination status.
The data exposures have now been addressed, Wired reports.
The information had all been stored in Microsoft’s Power Apps portal service.
It can be used to create a public-facing site for services like vaccine sign-up and also create a database of the information for internal use.
However, researchers from security firm Upguard found that in some cases, the backend database was public and available to view to anyone who could find it.
In May, it began investigating thousands of Power App portals that publicly exposed what should have been private data.
In a report published on Monday, it revealed that when an API was enabled to interact with the data, it was automatically made public.
The privacy settings could be changed manually but many customers were unaware and left their apps in the default, meaning data they collected was automatically publically accessible.
“We found one of these that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” Greg Pollock, UpGuard’s vice president of cyber research, told Wired.
It is not believed that any of the information found had already been compromised by hackers and Microsoft has since fixed the error.
The tech giant itself was caught out by the flaw and exposed a number of databases through the Power Apps portal.
It included an old platform called “Global Payroll Services,” two “Business Tools Support” portals, and a “Customer Insights” portal.
The state of Indiana exposed some Covid contract-tracing data.
Upguard revealed it had tried to contact all of the organizations and companies affected and then handed over their research to Microsft this month.
The company announced earlier in August that it was changing the default to store API data and other information privately.
‘TECH COMPANIES NEED TO ACT’
Pollock said that it is essential tech companies offer secure and private default settings to ensure leaks like this do not occur on such a wide scale.
“With other things we’ve worked on, it’s public knowledge that cloud buckets can be misconfigured, so it’s not incumbent on us to help secure all of them,” he said.
“But no one had ever cleaned these up before, so we felt we had an ethical duty to secure at least the most sensitive ones before being able to talk about the systemic issues.”
“When a pattern emerges in web-facing systems built using a particular technology that continue to be misconfigured, something is very wrong.
“If developers from diverse industries and technical backgrounds continue to make the same missteps on a platform, the spotlight should be squarely on the builder of that platform.”