The leak of data, which affected American Airlines, the Maryland Department of Health and the New York Metropolitan Transportation Authority, among others, resulted in the exposure of at least 38 million records, including information from employees, as well as data related to Covid-19 vaccinations, contact tracking and test appointments, according to UpGuard, the cybersecurity company that discovered the problem.
After UpGuard privately notified Microsoft and the affected organizations, the leaks were connected and the possibility of accessing the information was removed. Although the information was not secure, the names, Social Security numbers, phone numbers, dates of birth, demographics, addresses, and even dates of drug testing of employers and union membership data was available to anyone with the knowledge and inclination to look. UpGuard.
In the case of Ford Motor Co., UpGuard said, the lists of loan vehicles distributed to dealers had also been exposed.
“When we learned of the problem, we acted quickly to assess the (low) risk and close the gap,” Ford spokesman TR Reid told CNN Business. “There has been no breach of sensitive personal information.”
It is unclear which federal agencies may have been affected by the problem.
Several of the affected organizations contacted by CNN Business, including American Airlines, the Maryland Health Agency, the MTA and the New York Department of Education, confirmed that their systems have been secured and that there are no indications that your data has been accessed incorrectly.
Microsoft told CNN that only a small number of its customers had configured their systems so that unauthorized viewers could access the data.
“We take security and privacy seriously and encourage our customers to use best practices when setting up products in the way that best meets their privacy needs,” a Microsoft spokesman said in a statement. Since then, the company has modified the security settings of the software so that by default it is more restrictive for some users.
“This is what made so many organizations vulnerable to this potential problem,” Rethmeyer said, adding that “for the most part, our experience was that people were very willing to want to get into the running fast and correcting it, and no one knew it was a potential safety concern. “
In a statement, American Airlines said its version of the misconfiguration affected “business contact information relating to corporate travel managers.”
“Passenger data was not affected,” company spokeswoman Andrea Koos said. “We appreciate the performance of occupational safety companies like UpGuard for maintaining the safety of our business and our customers.”
Charles Gischlar, a spokesman for the Maryland Department of Health, said the agency investigated the UpGuard report and found that “there was nothing to suggest any disclosure of personally identifiable or personally identifiable information. personal health at no time “.
A spokesman for New York City schools said the department is committed to protecting the privacy of their school communities and that steps were immediately taken to protect the data and prevent further leakage. An MTA official told CNN that no data was stolen and that the problem was fixed.
The problem goes back to a privacy setting of Microsoft Power Apps, a product widely used by public and private entities to share data. Some organizations, such as public health agencies, have used Power Apps to allow members of the public to access details of their own Covid-19 test results or vaccination records. Other organizations used the software for internal registration purposes.
By default, an access parameter has been configured designed to limit what data a user can see and which could have prevented leaks, according to the UpGuard report. UpGuard said it first discovered the problem in an organization on May 24th. After scanning the web for similarly unsecured databases and finding numerous examples, UpGuard reported the problem to Microsoft on June 24 as a potential software vulnerability. According to the report, Microsoft responded by saying that the configuration worked as designed; Microsoft did not dispute this account with CNN.
UpGuard said it began notifying affected organizations in early July, as many were covering the leak in a matter of days. By the end of July, data hosted on a domain that appeared to support the use of Power Apps by U.S. government agencies was no longer public, UpGuard said.
Microsoft told CNN on Monday that it has changed the default settings so that organizations that use basic templates and Power Apps design tools will have their privacy settings turned on automatically. Microsoft told CNN that other organizations doing more complex or custom development in Power Apps will still need to enable the settings themselves. Microsoft has also launched a tool to help organizations verify their settings, UpGuard said.
Microsoft declined to answer CNN’s questions about whether there was a specific reason for the initial default setting. But the company said it has provided guidance to developers and provided documentation that advises organizations on how to properly configure the software according to their needs.