Personal data of 38 million users were accidentally leaked due to a fault in Microsoft’s (MSFT) Power Apps software.
The data included employee information, Covid related personal information and email ids and phone numbers of millions of individual, making it one of the largest possible data leaks in the recent history.
Research team Upguard said, “The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses.”
Forty-seven different agencies were affected by the breach which has since been rectified by the tech-giant. The information contained 332,000 emails and employee ids used by Microsoft’s payroll services and almost 85,000 records of other individuals. 39,000 emails registered with Microsoft Mixed Reality were also exposed.
Microsoft Mixed Reality, a software that allows businesses and individuals to build personalized simple software with the help of pre-installed templates, was used by a gamut of huge companies like the American Airlines, Ford, J.B hunt. Government entities in Indiana, New York city and Maryland were also discovered in the list of leaked organizations by the firm.
“Power Apps portals have options built in for sharing data, but they also have built in data types that are inherently sensitive. In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated.” said the firm.
According to the researchers, they had warned the company of the discrepancy back in June 24 but the company refused to pay heed. “While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” said the researchers.
In a statement gathered by Engadget, Microsoft said “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
The research foundation blasted the alibi given by the company calling the anomaly a part of the design and leaving it on the end user to configure. The firm said, “It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end user mis-configuration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach.”
Source: Read Full Article