38 million records from Microsoft-powered vaccination registrations and COVID-19 contact tracing apps exposed online


Over a thousand web apps that use Microsoft’s Power Apps portal service have mistakenly exposed millions of records, including data from COVID-19 contact tracing platforms and online vaccination registrations, Wired reported Aug 23.

6 details:

1. The incident affected large businesses and organizations, including the Maryland Department of Health, American Airlines, and transportation and logistics company JB Hunt.

2. The 38 million records on display were all stored on Microsoft’s Power Apps portal service, which is a development platform for building web or mobile applications. For example, organizations managing COVID-19 vaccination registrations have used the platform to create a public site and data management back-end.

3. In early May, researchers at security firm Upguard discovered that a large number of Power Apps portals were publicly exposing data that should have been private. This information included people’s social security numbers, COVID-19 vaccination status, phone numbers and home addresses.

4. None of the data is known to have been compromised, and the oversight in the design of the Power Apps portals has been corrected.

5. Upguard disclosed the results of its investigation to Microsoft, which announced in early August that Power Apps portals would now store application programming interface data and other information privately by default.

6. Microsoft has also released a tool that customers can use to check their portal settings. The company did not respond to Wiredrequest for comment from.


Comments are closed.