SAN FRANCISCO – Some 38 million records stored on a Microsoft service, including private information, were mistakenly left exposed this year, said security firm UpGuard yesterday.
The data, including names, addresses, financial information and Covid-19 vaccination statuses, was made vulnerable – but not compromised – before the problem was resolved, according to a probe by the digital security firm.
Among the 47 affected organisations were American Airlines, Ford, JB Hunt and public agencies, such as the Maryland Health Department and New York City public transit system.
They all used a Microsoft product called Power Apps, which allows for the creation of websites and mobile applications to interact with the public.
The service’s default software configuration setting meant that the data of the affected organisations was left without protection up until June, according to UpGuard.
“As a result of this research project, Microsoft has since made changes to Power Apps portals,” said the report.
Microsoft said it has let clients know when potential security risks are uncovered so they can fix the problems themselves.
“We take privacy and security seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs,” said a spokesman.
But UpGuard said it would have been better to change the way the software works at the source and based on how customers use it, rather than “to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist”. – AFP, August 24, 2021
.jpeg)
