Microsoft Power apps misconfiguration exposes 38MM sensitive records


Not every major data breach or cybersecurity incident is the work of master hackers with government-level resources and support. As we’ve discussed here before, ransomware as a service is a large and growing threat to small and medium-sized businesses the country over. But, it’s not always nefarious actors who are deliberately targeting you that you have to worry about — a misconfiguration can lead to a huge, systemic threat you have to watch out for as well.

Sensitive data including personal information for COVID-19 contact tracing and vaccination appointments, social security numbers for job applicants, employee IDs, names and email addresses found their way onto the open internet without a lot of folks even realizing the vulnerability existed.

And it all came from a simple misconfiguration default setting in Microsoft Power Apps.

Microsoft Power Apps

The misconfiguration of a default setting within Microsoft’s Power Apps led to more than a thousand web apps being accessible on the open internet. But what are Microsoft Power Apps? Put simply, it’s a development platform that makes it easy to create web or mobile apps for external use. For instance, if you needed to launch a vaccine appointment sign up site yesterday, Power Apps can quickly — and without a ton of custom coding — allow you to stand up both the public facing portal as well as the data management backend.

The breach was wide ranging, and affected some major companies you’d recognize: American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools.

The long and short of it is that the default configurations within this platform allowed some private data to be toggled to “public” when it should have defaulted to “private”.

As Wired described it:

In addition to managing internal databases and offering a foundation to develop apps, the Power Apps platform also provides ready-made application programming interfaces to interact with that data. But the Upguard researchers realized that when enabling these APIs, the platform defaulted to making the corresponding data publicly accessible. Enabling privacy settings was a manual process. As a result, many customers misconfigured their apps by leaving the insecure default.

What does this mean for your business?

Alright, that doesn’t sound great… but what does it mean for your business? Few pieces of code or software your company uses is custom made. A lot of code bases are open source or build upon the protocols or work of other software developers who came before. It’s hard to build complex things from scratch, so developers borrow from well known, reliable sources to help speed things along. But, even the most reputable tools from the biggest names in tech (like, say, Microsoft) can have small configuration errors baked in that leave you massively vulnerable.

To that end, unless you yourself are a cybersecurity expert or software developer, you’re unlikely to know how to check for these vulnerabilities, how to patch what you find, or even better, how to preempt a breach like this in the first place.

That’s where we come in.

Managed service providers like Leverage allow small and medium-sized businesses to outsource their cybersecurity and technology operations to trained experts. You run your business and stay focused on that; we take care of configuration issues, data management, cybersecurity, etc. We ensure undisturbed up time while protecting your sensitive information so you can actually run your business.

If this sounds like something you could use some help with, we’d love to chat.