By Design: How Default Permissions on Microsoft Power Apps Exposed Millions
The UpGuard Team writes:
The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access – a new vector of data exposure. The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses. UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft, for a total of 38 million records across all portals. This research presents an example of a larger theme, which is how to manage third-party risks (and exposures) posed by platforms that don’t slot neatly into vulnerability disclosure programs as we know them today, but still present as security issues.
Read more on UpGuard.
Remember when it was recently reported that the state of Indiana was notifying 750,000 people and someone had criticized an unnamed company? It now appears that company was UpGuard.
Is this also another instance of “shoot the messenger?” Over on The Register, Thomas Claburn reports, in part:
How dare you point out our flaws!
UpGuard’s findings were not universally welcomed: Acknowledging last week that “data from the state’s COVID-19 online contact tracing survey was improperly accessed,” Tracy Barnes, chief information officer for the State of Indiana, suggested the data exposure followed from UpGuard profiteering.
“The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business,” said Barnes.
UpGuard in its post disputed Barnes’ insinuation and challenged the Indiana Department of Health to release the agency’s recording of the conference call in which UpGuard discussed its findings with state officials.
“During five years of sending data breach notifications, UpGuard has never approached Indiana or any other company notified of a breach for business, and there is no merit to Mr. Barnes’s statement,” said UpGuard.