Microsoft has revealed a data breach of its Power Apps portal that has exposed 38 million records.
This includes COVID-19 contact tracing, vaccination registrations and statuses, employee databases with details such as home addresses and phone numbers and social security numbers.
Many large corporations and public sector organisations have been directly impacted
The scale of vulnerability affected more than 1,000 web apps, including those for New York City public schools. Unfortunately, that’s not all: Ford Motor Company was also affected by the data breach. The Indiana Department of Health is another victim who had their information compromised in this Microsoft data breach.
With so many people at risk of identity theft or even worse, the release of these private records from Microsoft’s Power Apps portal app will surely be an outcry demanding accountability from the company.
Some employees at the affected organizations tried to use data breach notification services such as HaveIBeenPwned, but they could not find their personal information within the database. Although this is a good sign initially, there is no guarantee that user data won’t appear across the dark web in the coming days and months, as a result of this breach.
Microsoft knew of the issue as early as 2018
According to The Register, Microsoft is aware of the problem and has started notifying those who this serious incident has impacted.
In addition, at least one company is believed to have filed a class-action lawsuit against the tech giant.
The Power Apps data breach was discovered by researchers at German software developer Digital Interruption (DI). DI’s security chief disclosed that he had warned Microsoft of the vulnerability within its system back in December 2018 but received no response from the company.
The firm claims that Microsoft’s security team was aware of the breach for six months but seemingly did nothing to address it.
DI claims that the vulnerability is still present within Power Apps even though Microsoft has taken steps to remove some public data from its servers following DI’s disclosure of the flaw earlier this month. However, Digital Interruption says that only a few data fields have been removed, and the sensitive information remains in Microsoft’s servers.
Another stark warning to organisations against the threat of multifaceted hacks and attacks
Earlier this month T-Mobile disclosed details of a similar breach that exposed 40 million user records to hackers.
It is yet another severe warning to IT organizations worldwide: they need to be aware that cloud services are not infallible. It’s more likely than ever before that these sorts of data breaches will occur due to an increasing reliance on cloud services by companies everywhere.
Microsoft has yet to comment further on the security breach.