Date: 23 August 2021
Title: Microsoft Power Apps misconfiguration exposes 38 million data records
Larry Dignan for Between the Lines
Sensitive data, including COVID-19 vaccination statuses, social security numbers, and email addresses, have been exposed due to weak default configurations for Microsoft Power Apps. The data leaks impacted American Airlines, Microsoft, J.B. Hunt, and the Indiana, Maryland, and New York City governments.
The OData API issue for a Power Apps portal was first discovered on 24 May and submitted a vulnerability report to Microsoft on 24 June. The primary issue is that all data types were public when some data like personal identifying information should have been private. Misconfiguration led to some private data being surfaced. Microsoft Power Apps are low-code tools to design apps and create public and private websites.
What to do?
Ensure that your software is properly installed and configured.
Ensure your firewall and antivirus/antimalware software is up to date and operational.
Routinely back up your network to a safe location that is “air-gapped.”
What can you do when this happens to you?
If you find that your network has been compromised, immediately shut down
Identify and mitigate the breach and mitigate as soon as possible
Rebuild the network from a known “clean” backup