Researchers at cybersecurity vendor Upguard have discovered multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access – a new vector of data exposure. The types of data exposed varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses. UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft, for a total of 38 million records across all portals.
Instances of accidental data exposure have become an almost daily occurrence, and it’s important for all those who were potentially affected to take some preventative measures, such as changing passwords and enabling multifactor authentication wherever possible.
Commenting on the news, Natalie Page, threat intelligence analyst at Talion, said: “The personal data of 38 million citizens opens the flood gates for attackers looking to exploit and monetise from this incident. Accidental data exposure essentially provides attackers with electronic keys to criminal activity, the threats and consequences created by an incident of this size are significant. The type of data involved in the incident is the determining factor for what attack methods are available to an adversary. What is concerning with this particular case, is that it includes a vast number of various personally identifiable items, creating a wide scope of potential attack methods. Impersonation, fraud, account takeovers, spear-phishing and blackmail are just some of the methods made possible by this breach, and with details such as individual addresses also supplied, attacks have the potential to spill over into the real world.”
George Papamargaritis, MSS director at Obrela Security Industries, stressed the consequences of misconfiguring applications: “No one can be sure if this data was accessed by any intruders, and if it was, it would have provided them with a wealth of sensitive information which could be used in phishing and identity attacks. When organisations use cloud applications to store sensitive data, they must understand how to configure them properly so no data is put at risk. There have been multiple incidents in the past where cloud misconfigurations have led to data breaches, which have then led to costly fines for the organisation. No one wants to find themselves in this position, so understanding the rules around cloud configurations is essential.”
Lamar Bailey, senior director of security at Tripwire, also encouraged organisations to harden their systems to prevent the accidental exposure of data: “Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet. Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3. Once a process is in place, the systems must be monitored for changes to their configurations because change detection (hardening) is key for securing your cloud infrastructure and preventing inadvertent exposure. These are solvable problems, and tools exist today to help.”