It has been reported that sensitive data including COVID-19 vaccination statuses, social security numbers and email addresses have been exposed due to weak default configurations for Microsoft Power Apps, according to Upguard. Upguard Research disclosed multiple data leaks exposing 38 million data records via Microsoft Power Apps portals configured to allow public access. The data leaks impacted American Airlines, Microsoft, J.B. Hunt and governments of Indiana, Maryland and New York City. Upguard first discovered the issue involving the ODdata API for a Power Apps portal on May 24 and submitted a vulnerability report to Microsoft June 24.
<p>This incident highlights the dangerous consequences when cloud applications are configured incorrectly. No one can be sure if this data was accessed by any intruders, and if it was, it would have provided them with a wealth of sensitive information which could be used in phishing and identity attacks. When organisations use cloud applications to store sensitive data, they must understand how to configure them properly so no data is put at risk. There have been multiple incidents in the past where cloud misconfigurations have led to data breaches, which have then led to costly fines for the organisation. No one wants to find themselves in this position, so understanding the rules around cloud configurations is essential.</p>
<p>Simplifying the development of applications is a great idea. But being able to build apps using templates and simple drag-and-drop capabilities combined with rapid deployment requires an equally modern approach to security. With democratising development processes, application builders might not even be aware of vulnerabilities, misconfigurations and basic and common-sense defensive measures. This is not only the result of a cybersecurity skill gap. Vulnerabilities and misconfigurations can also be introduced by service providers, making it even more difficult to create secure applications.</p>
<p>While this shouldn’t stop organisations from being innovative and agile, security has to become a key requirement for any project. Organisations should start building a culture of data privacy and security. This includes putting investments behind the most complete data security toolkits, including data-centric security, modern format preserving protection mechanisms and zero-trust to protect data wherever it is. Ensuring that data is protected by default, enabling applications to run workloads on protected data and only de-protecting when absolutely necessary reduces the exposure drastically. It also gives back control and increases visibility, which becomes even more important when sensitive data such as personal identifiable information (PII) or personal health information (PHI) is involved.</p>