Cyber Alerts

171Comply News, Alerts, and Resources

Microsoft Power Apps misconfiguration exposes 38 million data records


Date: 23 August 2021

Title:  Microsoft Power Apps misconfiguration exposes 38 million data records 


Larry Dignan for Between the Lines

Sensitive data, including COVID-19 vaccination statuses, social security numbers, and email addresses, have been exposed due to weak default configurations for Microsoft Power Apps.  The data leaks impacted American Airlines, Microsoft, J.B. Hunt, and the Indiana, Maryland, and New York City governments. 

The OData API issue for a Power Apps portal was first discovered on 24 May and submitted a vulnerability report to Microsoft on 24 June.  The primary issue is that all data types were public when some data like personal identifying information should have been private. Misconfiguration led to some private data being surfaced.  Microsoft Power Apps are low-code tools to design apps and create public and private websites.

What to do?

Ensure that your software is properly installed and configured.

Ensure your firewall and antivirus/antimalware software is up to date and operational.

Routinely back up your network to a safe location that is “air-gapped.”

What can you do when this happens to you?

If you find that your network has been compromised, immediately shut down

Identify and mitigate the breach and mitigate as soon as possible

Rebuild the network from a known “clean” backup

Call Us

Contact us and we'll get back to you within 24 hours.


a Division of CommTech Systems, Inc

Send Us a Message