What has happened?
A lot more than data from a number of Covid-19 contact tracing platforms, vaccine sign-ups, job application websites, and employee databases was accidentally exposed on the open internet via thousands of online apps. People’s phone numbers and home locations, social security numbers, and Covid-19 immunization status were all included in the data.
Major corporations and organizations were impacted by the incident, including American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. The data breaches have now been fixed. But, they demonstrate how a single incorrect configuration option in a widely used platform may have far-reaching effects.
Microsoft’s Power Apps portal service, a development platform that makes it simple to construct mobile or web applications for external usage, held all of the exposed data. Power Apps portals can produce both the public-facing site and the data administration backend if you need to set up a vaccination appointment sign-up site fast during a pandemic, for example.
Discovery Of Incident
Since May, experts from the security company Upguard began looking into a significant number of Power Applications portals. These portals publicly disclosed data that should have remained private—including some Power Apps developed by Microsoft for its own use. Even though none of the information appears to have been stolen, the discovery is noteworthy. This is because this highlights a design flaw in Power Apps portals that has subsequently been corrected.
The Power Apps platform not only manages internal databases and offers a basis for developing apps, but it also offers fully prepared app programming interfaces that connect with that data. However, the Upguard researchers discovered when these APIs were enabled, the platform automatically made the associated data public. It took a long time to manually enable privacy options. As a result, a large number of consumers misconfigured their applications by leaving the unsafe default setting.
In many respects, the information was restricted. The fact that the state of Indiana had a Power Apps portal exposure, for example, does not indicate that all of the data held by the government was accessible. Only a portion of the state’s Power Apps portal’s contact-tracing data was implicated.
Gravity Of The Issue
Over the years, misconfiguration of cloud-based databases has been a major problem. Vast amounts of data were exposed to unauthorized access or theft. Major cloud providers such as Google Cloud Platform, Microsoft Azure, and Amazon Web Services have all made efforts to keep client data discreetly by default and identify potential misconfigurations from the outset, but the issue was not prioritized by the industry until recently.
The affected businesses might potentially have discovered the problem on their own. Still, UpGuard’s Pollock believes it is the responsibility of cloud providers to ensure safe and private defaults. Otherwise, many users will accidentally reveal personal information.
It’s a lesson that the entire business has had to learn slowly and painfully.