An incredible 38 million users’ personal data was at risk in the Microsoft Power Apps breach (Image: GETTY MICROSOFT)
You’d think big companies would have learned about the ramifications of not locking down users’ personal information now, after hundreds of massive — and widely publicized — breaches in recent years.
But Microsoft is the latest to be implicated in a huge potential data breach — with an incredible 38 million users’ personal data at risk.
The problem lies with Microsoft’s Power Apps, a tool that makes it easy for companies to create their own apps in the cloud. It is used by companies such as PayPal, Metro Bank, Toyota, Heathrow Airport and by many healthcare and education organizations around the world.
However, cybersecurity experts revealed this week that more than 1,000 apps created with the tool accidentally exposed records containing sensitive personal data. These include Covid tracking information, names, phone numbers, email addresses, and even Social Security numbers (commonly used in the US to prove your identity).
Investigators warned 47 organizations including Ford, American Airlines, the New York City Subway and the entire state of Indiana, US, that they had been exposed. Even Microsoft itself had made insecure apps with its own technology.
The breaches were the result of poorly designed apps that accidentally set personal records to be publicly visible. If a certain switch in the app was not switched properly, even anonymous users could freely access all the data they wanted. Some of the information can even be found through a simple Google search.
READ MORE: Police and British Government Vulnerable to New Microsoft Email Hack… Is That You?
UpGuard, the company that sounded the first alarm, accused Microsoft of not warning its users enough about the risks of misconfigured apps: “The number of accounts exposing sensitive information … indicates that the risk of this feature – the likelihood and impact of its misconfiguration– has not been appreciated enough.”
UpGuard said it had told Microsoft and the 47 companies it identified about the problem. Most of them have now secured the risk data, it said in a blog post outline the issue. There are no reports of the data being used by malicious parties, but since it could be viewed anonymously, there was ultimately no way to say for sure.
But it warned that something like this could happen again: “As more information moves online, the frequency of disclosing sensitive data increases… Platform operators [should] rather take responsibility for misconfiguration issues rather than leaving outside investigators to identify and notify all instances of such misconfigurations.”
Check all Technology News here: Gaming Ideology
Denial of Responsibility for the Content
Gaming Ideology is a News Source that collects News from different Media Agencies and acts as a News Aggregator. The content you find on our website is freely available on the Internet. We clearly mention the Content Source hyperlinked to its original source. We arrange that content in our platform for our readers for Educational purposes only. All Copyrights & Trademarks belong to their Owners/Authors.
For Content Owners: To remove your content from our website, please contact us by emailing us at: complain@gamingideology.com and we will remove that content from our website.
