According to researchers, the incident involved 47 government and private entities across the United States.
The IT security researchers at UpGuard published a research report disclosing that organizations using Microsoft Power Apps were susceptible to a default misconfiguration, which made their data sets findable by anyone knowing the web address and search engines.
UpGuard researchers claim that nearly 38 million records were exposed due to misconfiguration. For your information, Power Apps is a low-code development platform designed to create business intelligence tools.
Which Data is Exposed?
UpGuard’s research revealed that the exposed data included sensitive COVID-19 vaccination records, such as statuses, along with user information, including social security numbers, email addresses, names, date of birth, and addresses.
These records were exposed due to weak default configuration in the ODdata API for MS Power Apps. According to UpGuard’s research, the issue was that all data types were already public, while personal data should have been private.
Who is Impacted?
In its blog post, UpGuard stated that it discovered the issue on May 24th, 2021, and submitted its vulnerability report to Microsoft on June 24th. The leaked data includes the following:
- Contact-tracing database from the Indiana Department of Health containing records of 750,000 people.
- Coronavirus testing appointments of Maryland Department of Health.
- Staff and student rosters.
- List of COVID-19 vaccinated employees of New York Metropolitan Transit Authority.
- Nearly 332,000 employee email addresses of Microsoft’s global payroll services and internal files are also part of the leak.
Reportedly, the incident has impacted as many as 47 organizations, including the following:
- J. B. Hunt
- American Airlines
- Governments of Maryland, Indiana, and New York City.