38 Million Patient Records Go Online Following a Major Data Breach
A major security flaw in Microsoft’s OpenAI Power Apps portals has affected hundreds of apps, exposing roughly 38 million records so far. The latter range from Covid-19 vaccination certificates to personal data, including employment status, phone and address numbers, social security numbers, etc. The victims work in small and huge businesses in multiple industries and public institutions such as schools and hospitals.
Table of Contents
An Issue Lying Dormant For Months?
Security issues related to the Power Apps platform appear to have been in motion since May 2021. Rather than keeping user data private, a large portion of apps available on Microsoft's Power Apps portal has been keeping it widely available for any interested third parties. The reason why such a vulnerability came into existence relates to the Application Programming Interfaces (APIs) offered by the Power Apps platform to help software developers build mobile and web applications on their own. In theory, the APIs should allow developers to gather the data they need without sharing it elsewhere. While they did collect records, those APIs did not keep them private. Moreover, they made them public by default because it seems that's how they were configured in the first place. Therefore, developers had to do manual tweaking to prevent Microsoft's Power Apps APIs from exposing data they should otherwise keep under wraps.
What About the Patch?
Initially reluctant to address the issue, Microsoft’s security specialists have since urged their customers "to use best practices when configuring products in ways that best meet their privacy needs." Moreover, all available APIs on the Power Apps platform should keep data private by default without requiring any additional moves on behalf of the customer. Microsoft went to even more extraordinary lengths by launching a unique Portal Checker diagnostic tool to help customers identify their custom API settings.
Exposed Data Breakdown
The exposed records vary in terms of subject matter. Some of them related to employees of American Airlines, while others pointed to New York City schools. Roughly 0.3 million email addresses and 40 thousand Mixed Reality dossiers could potentially have fallen into the wrong hands, as well.