Millions exposed due to Microsoft misconfiguration

Thirty-eight million records from dozens of organizations, including COVID-19 contact tracing information, were exposed online earlier this year due to a misconfiguration in a Microsoft product, according to research published Monday.

Cybersecurity group UpGuard’s research team detailed in a report that it had notified 47 groups that their data had been exposed. These were government organizations including the Maryland Department of Health, New York City Schools, New York City Municipal Transportation Authority and the government of the state of Indiana.

Data from private companies was also exposed, including from various other Microsoft groups, Ford, American Airlines and J.B. Hunt. Data exposed included COVID-19 contact tracing, vaccination appointments, Social Security numbers, employee IDs and other personal information on millions of individuals.

The exposed data, first discovered by researchers at the end of May, was not compromised, and was the result of configuration on Microsoft’s Power Apps, which allows customers to build data applications for their business needs. The application exposed millions of data points due to them being made publicly available as a result of a configuration in Power Apps that has since been corrected.