Microsoft Power Apps breach exposes third party security vulnerabilities

Take the ten-question reality check: How confident are you in your ability to protect customer data?

In what’s been called “a new vector of data exposure,” a Microsoft Power Apps breach recently exposed 38 million records online – many with personally identifiable information (PII) including Covid-19 vaccination status, Social Security numbers, and other sensitive customer data.

Major companies, including Ford Motor Company and American Airlines were affected, as well as government agencies like the Maryland Department of Health and the New York City Municipal Transportation Authority.

The breach, during which more than a thousand web apps were made freely accessible online, was initially announced in a report on the UpGuard website, after having been discovered by the security company’s cyber risk research team. There, researchers disclosed the discovery of “multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access.”

What was the issue with Microsoft Power Apps?

Microsoft Power Apps enables users to easily develop “low code,” cloud-based, web, or mobile applications. And through Microsoft Power Apps portal service, third party organizations can also create public websites used to store, access, and share data through forms, surveys, and other online interactions.

Unfortunately, however, the default settings for Power Apps portals had (until quite recently) been configured to “expose records for display” – unless expressly modified by third party users. And while Power Apps documentation did warn that the offending OData (Open Data Protocol) APIs would result in publicly accessible records if settings weren’t configured correctly, it seems that thousands of end users didn’t get the message.

Alerts from security researchers diffuse potential threat

The good news is that reports have yet to surface that any bad actors have succeeded in compromising databases exposed by the breach. And to their credit, UpGuard’s research team reached out directly to 47 governmental, corporate, and other entities, with early warnings of the impending threat of PII exposures.

UpGuard also alerted Microsoft about the exposure, resulting in the tech giant quickly issuing a software fix, providing a self-diagnostic tool for customers, and announcing product changes to secure Power Apps portal default settings to avoid future vulnerabilities.

But the fact remains that this incident could have easily caused far-reaching damage to Microsoft and its end users, had they not been alerted to the problem – not to mention the potential havoc inflicted by cybercriminals armed with the PII of millions of people.

Platform provider or third party end user: Who’s responsible?

Following the breach, a Microsoft spokesperson told CRN, “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”

And in a related CRN interview, Greg Pollock, UpGuard’s vice president of cyber research, seemed to impart a similar sense of shared responsibility when it comes to cybersecurity issues – by simply advising IT security pros to “slow down and properly budget for mastering the technologies involved.”

Noting the complicated nature of identity and access management in cloud environments, he continued, “My guess would be that many of these portals that were exposing data were because the person who set up the data feed API was not an expert. I’m going to guess they did not read the documentation.” Which, as noted above, would have alerted users to the default settings in question.

Meanwhile, a recent Wired article stated that, “Misconfiguration of cloud-based databases has been a serious issue over the years, exposing huge quantities of data to inappropriate access or theft. Major cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all taken steps to store customers’ data privately by default from the start and flag potential misconfigurations.”

So, with increasing numbers of variables at play, perhaps the realistic answer is that – from CISOs to system administrators – we’re all responsible for the protection of sensitive customer data and other mission-critical assets. Because when your organization intakes customer data, it becomes your responsibility to protect it – not Salesforce’s, Google’s, or Microsoft’s.

Take the ten-question reality check: How confident are you in your ability to protect customer data?

If you’re not sure about the strength of your security strategy, a good way to find out is to follow the data. Start by asking a few simple questions:

1. What is your privacy strategy for protecting your customers’ sensitive PII data? Have you proven that you can safeguard it consistently?
2. Good governance policies may have helped identify the security settings error responsible for the Microsoft Power Apps breach. How robust is your data governance solution?
3. Do you regularly monitor the security of your applications?
4. How reliable is your compliance solution? Are you treating data in accordance with regulations imposed by GDPR, HIPAA, FINRA, PCI, and other regulatory bodies?
5. Do you know who’s accessing your systems or devices via single sign-on (SSO) or multifactor authentication (MFA) – at any given time?
6. Are you monitoring users’ activities once they’re in your system? Are they accessing data they shouldn’t be? Downloading or exporting it? If so, will you be alerted immediately?
7. Some cloud platforms change security settings regularly – and without notice. Are you prepared to respond with required updates?
8. Do your security processes accommodate the additional risks posed by remote and mobile technologies?
9. If an intrusion occurs, how will you mitigate data loss? Would you be able to quickly identify who breached your system, as well as when, how, and why?
10. Are you prepared for a regulatory audit?

Safeguard customer data and maintain trust with a defense in depth security strategy

If you have unanswered questions – or just aren’t sure – it may be time to reassess your security strategy. The best way to secure sensitive customer data is to deploy multiple defensive measures. Leading IT security experts agree that no one control element is entirely infallible, so the safest environments rely on multi-layered, defense in depth security strategies.

Learn more about how you can safeguard customer data and maintain trust with a defense in depth security strategy based on the Imprivata digital identity framework.

Get the ebook, Defense in Depth: How to Secure Your Organization from the Inside Out.