A team at cybersecurity company UpGuard found that dozens of businesses using Microsoft Power Apps have made their users' data publicly available. As a result, the data of 38 million people were in the public domain.
UpGuard was able to identify 47 private companies and government organizations that did not close access to their customers' data. Among others, these are the authorities of the American states of Indiana, Maryland, New York and Denton County (Texas), as well as American Airlines, Ford and even Microsoft itself.
Information long publicly available included names, addresses, email boxes, insurance policy numbers, COVID-19 vaccination data, and information collected by apps to track the spread of the virus.
Power Apps is a Microsoft service for building custom apps and sites that connect to databases of companies and organizations. According to the UpGuard report, many Microsoft customers have ignored the fact that by default, access to the databases used by the service remains public. Companies themselves must close the databases if they believe that the information in them is confidential. Therefore, Microsoft itself does not consider the incident to be a data breach.
Read also:
