American Airlines, Ford, JP Hunt, and communities such as the Maryland Health Authority and New York City Public Transportation are among the 47 groups involved. (Photo: Getty Images)
About 38 million pieces of personal data and information, some from platforms to track cases of coronavirus contacts, became vulnerable earlier this year due to misconfigurations in Microsoft software used by many companies and organizations.
On Monday, computer security company UpGuard released a report of a months-long investigation that showed millions of names, addresses, tax identification numbers and other confidential information had been exposed — but not hacked — before the issue was resolved.
American Airlines, Ford, JP Hunt, and communities such as the Maryland Health Authority and New York City Public Transportation are among the 47 groups involved.
They have in common that they have used software from Microsoft, Power Apps, which makes it easy to build websites and mobile apps to interact with the audience.
For example, if an organization needs to quickly set up an appointment booking portal for vaccines, this service from the IT giant provides the public interface and data management.
But until June 2021, the software’s default configuration did not adequately protect certain data, UpGuard researchers explained. “Thanks to our research, Microsoft has since changed Power Apps portals,” they say.
“Our tools enable solutions to be designed at scale that meet a variety of needs. We take security and privacy seriously, and encourage our customers to configure products to best meet their privacy needs,” a Microsoft spokesperson replied.
The group also noted that it systematically informs its clients when identifying potential leakage risks, so that they can remedy them.
But according to UpGuard, it’s best to change the software based on how customers use it, rather than “seeing the widespread lack of data privacy as a user configuration error, which keeps the software problematic and puts the public at risk.”
They add that “the number of accounts in which sensitive information was poor shows that the risks associated with this feature – the potential and impact of a configuration error – have not been adequately considered.”