Microsoft platform leaked 38 million files from states, large businesses
The exposure of a COVID-19 contact-tracing database in Indiana that sparked a row between state officials and a cybersecurity company was part of a broader issue connected to a Microsoft app-development tool that left tens of millions of records containing personal information from a range of large government and corporate entities visible on the internet.
According to research published Monday by UpGuard, which discovered the leaks, organizations that used Power Apps, a low-code development platform for creating business-intelligence tools, were susceptible to a default configuration that made their data sets findable by search engines or anyone with knowledge of the web address. In total, UpGuard notified 47 organizations and counted 38 million records — containing names, dates of birth, addresses and, in some cases, Social Security numbers — that were exposed.
The leaks, discovered in late May, were examples of how increasingly complex software environments can lead to organizations exposing sensitive data when it’s not entirely clear how new tools are designed, or not taking enough care to ensure that every potential hole is buttoned up. They’ve also shed light on the complex dynamics between ethical hackers like UpGuard and the tech companies and other organizations — like government — they attempt to warn.
Easily searchable
The Indiana Department of Health’s contact-tracing database contained records belonging to about 750,000 people. Other data leaks UpGuard discovered included Maryland Department of Health coronavirus testing appointments, New York City Department of Education staff and student rosters and a New York Metropolitan Transit Authority list of employees vaccinated against COVID-19. UpGuard’s researchers also found data belonging to American Airlines, Ford Motor Company and the freight company J.B. Hunt, as well as several internal Microsoft files, including 332,000 employee email addresses found in the company’s global payroll services.
The leaks were possible because of a default configuration with Power Apps’ portals function, which is designed to create websites that “give both internal and external users secure access to your data,” according to Microsoft’s documentation. Such websites are often constituent-, customer- or employee-facing programs that involve an exchange of personal information.
Greg Pollock, UpGuard’s vice president of cyber research, told StateScoop the leaks were discovered May 24 after a company analyst was using a Power Apps-built site and got curious. The analyst, he said, “noticed how the API worked and realized by making direct calls, it would return data that should not have been directly accessible.”
UpGuard’s analysts discovered that while the Power Apps portal’s default settings secured data organized into tables, data sets organized as lists were left unprotected unless a user changed the configuration manually. And traditional search engine queries for pages ending in the subdomains used by Power Apps sites — powerappsportals.us for the public sector, and powerappsportals.com for the commercial market — eventually turned up more than 1,000 sites.
After identifying a “significant number” of URLs, UpGuard checked to see if their data sets were publicly available simply by adding “/_odata” to the address. If the site’s operator had not changed the settings on table permissions, the data would be listed on screen.
“In some ways, this is one of the simplest ways data is exposed,” Pollock said. “All these portals are on one domain.”
Hard to reach
UpGuard first reported the configuration issue through Microsoft’s vulnerability disclosure policy on June 24, including three examples of U.S. government entities that’d left their data exposed in Power Apps, including COVID-19 tracking data and Social Security numbers from job applicants. A Microsoft analyst responded the same day, and UpGuard’s analysts began sharing their findings. Yet Microsoft closed the case June 29 having “determined that this behavior is considered to be by design,” the UpGuard report reads.
“This is not strictly a vulnerability in the software sense,” Pollock said. “That’s the higher-level problem. The issue isn’t that you don’t understand how this works, the issue is I’m pointing out seven different portals exposing COVID data and Social Security numbers.”
After Microsoft formally closed its VDP case, UpGuard took it upon itself to notify some of the organizations it had found to be leaking data because of Power Apps’ default settings. Most, including American Airlines, Ford and the Maryland Department of Health, responded within a few days and secured their data lists. (A spokesperson for the Maryland agency confirmed UpGuard’s description of events to StateScoop.)
“We will do our best to secure all the sensitive data we know about, and say, ‘If you use this product, watch out for how it operates,'” Pollock said.
Other organizations were not so easy to reach. On July 2, UpGuard attempted to notify the MTA by filling out a standard online complaint form — the method advised by the transportation agency’s privacy policy — which could take as long as 15 days to elicit a response. After a week, one of Pollock’s analysts called the MTA’s corporate office, which deferred the analyst to a business-services office. That desk told UpGuard it would forward the data-leak warning to the MTA’s threat intelligence unit.
But when the MTA’s employee lists were still visible on July 12, UpGuard decided to notify the New York State Office of Information Technology Services. Three days after that, the analyst tried a personal contact at the the New York City Department of Information Technology and Telecommunications, who passed the tip onto New York City Cyber Command. The exposure was finally resolved the next day. Telling the New York City Department of Education’s about its data leak followed a similar ordeal, which Pollock said could’ve been avoided with a simple fix.
“Please put up a ‘privacy@’ your domain address email on your site,” he said.
‘There’s going to be a question’
Indiana was more complicated. While the state’s COVID-19 tracking information was sealed up by July 7, five days after it heard from Pollock, UpGuard and state officials spent the next month going back and forth over several key details, including when UpGuard accessed the data and confirmation that the company had deleted any information it had downloaded. That process involved getting logs from Microsoft, which hosts the state’s contact-tracing site, that recorded when the data had been accessed.
The Aug. 11 “certificate of deletion” that Pollock signed with Mohan Ambaty, the Indiana Department of Health’s CIO, confirmed the data was accessed because a Power Apps portal had been “inadvertently configured to allow public access” and that it would be deleted and destroyed from all of UpGuard’s storage locations.
But tensions flared last week when Indiana officials announced they’ll be buying credit monitoring for the roughly 750,000 Hoosiers whose information was in the COVID-19 database — an expense that’ll run into seven figures — and said UpGuard “intentionally looks for software vulnerabilities, then reaches out to seek business,” which the company refuted at length in its report on Power Apps.
Still, these white-hat notifications can alarm the officials who receive them, especially after a crisis that demanded rapid-fire IT decision-making.
“States and government entities were adapting to digital transformations over the last year-and-a-half, with new vendors and solutions,” said an executive in a government agency that heard from UpGuard. “The issue was a misconfiguration that was missed.”
What raises flags, the official said, is the scale of the data that was accessed to prove a vulnerability, which can have the undesired effect of spooking a public already weary of exposures and breaches.
“As what happens with a number of ethical or morally focused white-hat hackers, pointing that out is beneficial,” the government executive said. “But there has to be a question to the approach if you want to consider yourself focused on public policy interest. There’s going to be a question for any citizen when unauthorized data access is put out there.”
‘One of the better outcomes’
While Microsoft closed its VDP case in late June with little obvious resolution, the company took several actions later in the summer, including notifying its government customers of the configuration issue, according to the UpGuard report.
“We did not receive that notification, of course, but could observe its effect in that several lists for portals on powerappsportals.us that had been public in June were no longer public by the end of July,” the report reads.
Microsoft also released a tool that can detect if lists are allowing anonymous access. It also updated Power Apps so that new portals will have all data formats secured by default.
“We’ve had an interesting arc,” Pollock told StateScoop. “This is one of the better outcomes for this process.”
The government executive said the Power Apps discovery has been a reminder that new technologies need to be handled with diligence before they’re put into action.
“There’s absolutely an argument the OEMs could make things more transparent,” the official said. “That’s been the case with products for years. The things that are options instead of mandatory.”
In an emailed statement, a Microsoft spokesperson said that the company’s products give customers “flexibility and privacy features to design scalable solutions that meet a wide variety of needs.”
“We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs,” the spokesperson said.
