peach_fotolia - stock.adobe.com
Microsoft Data Breach Exposes 38M Records Containing PII
A Microsoft Power Apps data breach exposed 38M records across 47 organizations containing PII, including some governmental public health agencies.
A Microsoft Power Apps data breach exposed 38 million records containing personally identifiable information (PII), according to a report from cybersecurity company UpGuard. The data breach impacted 47 organizations across multiple industries, including some governmental public health agencies.
On May 24, 2021, an UpGuard analyst discovered that the Open Data Protocols (OData) API for an organization’s Power Apps portal that contained an anonymously accessible list of data. The exposed PII included names, COVID-19 contact tracing information, vaccination appointments, Social Security numbers, employee IDs, and email addresses.
The company submitted a vulnerability report to Microsoft one month later, which included steps to identify compromised OData feeds and URLs for accounts that were exposing data. Microsoft closed the case on June 29.
“We determined that this behavior is considered to be by design,” the Microsoft Security Response Center wrote in an email to UpGuard.
UpGuard began notifying impacted organizations, including American Airlines, Ford, Maryland Department of Health, New York City Municipal Transportation Authority, and the state of Indiana.
Microsoft only got involved when UpGuard discovered some of the more severe exposures.
Microsoft Power Apps is a cloud-hosted suite of services that allows organizations to create business intelligence applications. Power Apps portals allow both internal and external users to securely access data through a public website. Users can store data, create forms for users to enter data, and use APIs to retrieve data from other applications.
The service also allows users to enable OData APIs, which permit organizations to publicly display Power Apps lists. A design mishap left organizations that did not enable certain permissions vulnerable.
“Lists pull data from tables, and limiting access to the list data that a user can see requires enabling Table Permissions,” the report explained.
“If those configurations are not set and the OData feed is enabled, anonymous users can access list data freely.”
This specific set of conditions ingrained into the Microsoft Power Apps design led to a massive data breach that exposed 38 million records, UpGuard discovered.
“In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated,” the report explained.
In early July, UpGuard discovered breaches within Microsoft as well. The company submitted an abuse report with a list of all Power Apps and Microsoft CRM accounts with Microsoft data. The most severe Microsoft exposure involved 332,000 email addresses and employee IDs from Microsoft’s global payroll services.
As a result of the investigation, Microsoft enabled table permissions by default to avoid vulnerabilities., and now provides customers with a tool to self-diagnose their portals.
“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities” the report suggested.
“It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach.”
The breach can be used as a learning experience for customers and tech companies, UpGuard concluded. Many third-party risks do not classify as traditional vulnerabilities, but can be equally detrimental to cybersecurity.