Researchers today disclosed multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access – a new vector of data exposure. The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses. UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft, for a total of 38 million records across all portals. This research presents an example of a larger theme, which is how to manage third-party risks (and exposures) posed by platforms that don’t slot neatly into vulnerability disclosure programs as we know them today, but still present as security issues.
<p>This touches on a couple of historically interesting facts. One, a lot of Microsoft products in the past have started off giving wide access to data and resources by default. It was left up to users and administrators to take action and lock things down. This approach has definitely changed over at least the last decade or so, but ease of use and access still tend to lead the way, instead of developing tools and reports that make it easier for admins and users to see who has access to what information and adjust as necessary. This then leads to the other fact that we have stated over and over again, that it is the responsibility of everyone to both be aware of and educate others on the importance of protecting people’s private information.</p>
<p>End users have been given a lot of very powerful tools that allow them to easily access, analyze and share data in new and exciting ways. Platforms that provide these tools need to help these users also protect that data. Warning users of who can see the data when they make particular changes, or giving users the ability to see what a data view might look like from another user’s point of view can go a long way towards ensuring that users are able to secure the data when necessary without getting too frustrated.</p>