Microsoft data breach exposes personal information of 38 million users
Redmond, Washington – Personal data of 38 million users were accidentally leaked due to a fault in Microsoft's Power Apps software.
The data included employee information, Covid-related personal information, and email IDs and phone numbers of millions of individuals, making it one of the largest possible data leaks in recent history.
Research team Upguard said, "The types of data varied between portals, including personal information used for Covid-19 contact tracing, Covid-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses."
Forty-seven different agencies were affected by the breach, which has since been rectified by the technology giant.
The information contained 332,000 emails and employee IDs used by Microsoft's payroll services and almost 85,000 records of other individuals.
Additionally, 39,000 emails registered with Microsoft Mixed Reality were also exposed.
Microsoft Mixed Reality, a software that allows businesses and individuals to build personalized simple software with the help of pre-installed templates, was used by a gamut of huge companies like American Airlines, Ford, and JB Hunt.
Microsoft Power Apps did not separate sensitive and public data
Government entities in Indiana, New York City, and Maryland were also discovered in the list of organizations affected by the leak.
"Power Apps portals have options built in for sharing data, but they also have built in data types that are inherently sensitive," said the firm.
"In cases like registration pages for Covid-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated," they continued.
According to the researchers, they had warned the company of the discrepancy back on June 24, but the company refused to pay heed.
"While we understand [and agree with] Microsoft's position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities," said the researchers.
In a statement gathered by Engadget, Microsoft said, "Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs."
The research foundation blasted the alibi given by the company calling the anomaly a part of the design and leaving it on the end user to configure.
The firm said, "It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach."
Cover photo: IMAGO / NurPhoto