38 million records have been exposed online, including contact tracing information


Just one more Thousands of web apps mistakenly exposed 38 million open internet records, including data from a number of Covid-19 contact tracing platforms, vaccination registrations, portals applications and employee databases. The data included a range of sensitive information, from phone numbers and personal addresses of people with social security numbers and Covid-19 vaccination status.

The incident affected large businesses and organizations, including American Airlines, Ford, transportation and logistics company JB Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority and New York public schools. And while the data exposures have since been corrected, they show how one bad configuration parameter in a popular platform can have far-reaching consequences.

The exposed data was all stored in Microsoft’s Power Apps portal service, a development platform that makes it easy to build web or mobile applications for external use. If you need to quickly create an appointment registration site for vaccines during, for example, a pandemic, Power Apps portals can generate both the public site and the data management backend.

Starting in May, researchers at security firm Upguard began investigating a large number of Power Apps portals that publicly exposed data that should have been private, including in certain Power Apps that Microsoft created for its own purposes. . None of the data is known to have been compromised, but the discovery is still significant as it reveals an oversight in the design of the Power Apps portals that has since been fixed.

In addition to managing internal databases and providing a foundation for developing applications, the Power Apps platform also provides out-of-the-box application programming interfaces to interact with that data. But the Upguard researchers realized that when activating these APIs, the default platform made the corresponding data publicly available. Enabling privacy settings was a manual process. As a result, many customers misconfigured their applications leaving the default insecure.

“We found one that was misconfigured to expose data and we thought, we’ve never heard of it, is it a one-off thing or is it a systemic issue? Says Greg Pollock, vice president of cyber research at UpGuard. “Because of how the Power Apps Portals product works, it is very easy to quickly complete a survey. And we found out that there are tons of it on display. It was wild.

The types of information the researchers stumbled upon were very varied. JB Hunt’s exposure was job seeker data that included Social Security numbers. And Microsoft itself has exposed a number of databases in its own Power Apps portals, including an older platform called “Global Payroll Services”, two “Business Tools Support” portals, and a “Customer Insights” portal.

The information was limited in many ways. Just because the state of Indiana, for example, has exposure to the Power Apps portal doesn’t mean that all state-owned data has been exposed. Only a subset of the contact tracing data used in the state’s Power Apps portal was involved.

Misconfiguration of cloud-based databases has been a serious problem over the years, exposing huge amounts of data to inappropriate access or theft. Big cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all taken steps to store customer data privately by default from the start and report potential configuration errors, but the industry has failed. prioritized the problem only recently.


Comments are closed.