Misconfigured web apps exposed millions of US personal records online

Data leak
(Image credit: Shutterstock/dalebor)

Improper default permission setting exposed personally identifiable information (PII) of over 30 million US citizens from across a few hundred portals, according to cybersecurity researchers.

The UpGuard Research team discovered over a thousand anonymously accessible lists across a few hundred portals that included sensitive details such as an individual’s Covid-19 vaccination status, along with their phone numbers, home address, and social security number (SSN), and more.

The data leaked from improperly configured PowerApps portals, which not just allowed access to public data as expected, but also exposed private data without anyone being the wiser.

“The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft PowerApps portals configured to allow public access - a new vector of data exposure,” state the researchers in their analysis of the leak.

Feature or a misconfiguration?

The type of information that the researchers were able to access varied from one organization to the next. In all, the researchers managed to gawk at data from about four dozen entities, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, Ford, JB Hunt, and more.

The researchers believe that the staggering amount of exposure highlights a shortcoming on Microsoft’s part, in that it failed to properly convey the default settings and the behavior of the PowerApps platform.

“Our conversations with the entities we notified suggested the same conclusion: multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicized as a data security concern before,” note the researchers.

Microsoft initially dismissed UpGuard’s revelations as it was “determined that this behavior is considered to be by design.” 

However, as UpGuard began contacting the affected entities, Microsoft took several steps to help its customers avoid leaking data inadvertently. For instance, the company has now released a tool to check for lists that allow anonymous access and also modified the default table permissions.

TOPICS
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Cartoon Phishing
One of the largest data leaks ever sees info on 1.5 billion people leaked online
Data leak
Top healthcare company exposes data on millions of patients - find out if you're affected
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
A top online gift card store may have exposed private data on hundreds of thousands of users
Security padlock and circuit board to protect data
A major US TV broadcaster leaked over a million sensitive files online
Data Breach
Thousands of widely-used public workspaces are leaking data
Data leak
Popular online bill paying site leaks data of thousands of users
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all