Misconfigured Microsoft Apps Expose 38 Million Sensitive Records Including Contact Tracing

Over one thousand web apps using Microsoft Power Apps have mistakenly exposed 38 million records online, including sensitive data relating to a number of coronavirus contact tracing platforms, vaccination registrations, job application portals, and employee databases.

Wired reports that a thousand web apps have accidentally exposed 38 million records online, including data from coronavirus contact tracing platforms, vaccinations sign-ups, job portals, and employee databases. The records included a wide array of sensitive information including phone numbers, home addresses, social security numbers, and vaccination status. The exposure of sensitive data was caused by the misconfiguration of Microsoft’s Power Apps tool, which is used to manage the database for many apps and web services.

A number of major companies and organizations were affected by the leak including American Airlines, Ford, J.B. Hunt, the New York City Municipal Transportation Authority, the Maryland Department of Health, and New York City public schools.

The data was all stored in Microsoft’s Power Apps portal service which is used to create web or mobile apps for eternal use. Power Apps portals can be used to create both public-facing sites and data management backends for signup systems including job application portals and even vaccine registration sites. – READ MORE