More than a thousand web apps that use Microsoft's Power Apps portal service mistakenly exposed millions of records including data from COVID-19 contact-tracing platforms and vaccination sign-ups online, Wired reported Aug. 23.
Six details:
1. The incident affected major companies and organizations including the Maryland Department of Health, American Airlines and transportation and logistics company J.B. Hunt.
2. The 38 million exposed records all were stored on Microsoft's Power Apps portal service, which is a development platform for creating web or mobile apps. For example, organizations managing COVID-19 vaccination sign-ups used the platform to create a public-facing site and data management back end.
3. Beginning in May, researchers from security firm Upguard discovered that a large number of Power Apps portals publicly exposed data that should have been private. This information included people's Social Security numbers, COVID-19 vaccination status, phone numbers and home addresses.
4. None of the data is known to have been compromised, and the oversight in the design of the Power Apps portals has been fixed.
5. Upguard disclosed the findings of its investigation to Microsoft, which at the beginning of August announced that Power Apps portals now will default to storing application programming interface data and other information privately.
6. Microsoft also launched a tool customers can use to check their portal settings. The company did not respond to Wired's comment request.