Enlarge image
Anyone can create apps, right?
Photo: Nicolas Armer / dpa
It sounds so simple in advertising.
With Microsoft Power Apps "anyone can develop and share apps - quickly, easily and with little code," the Windows group advertises for an offer whose customers can actually do just that: develop apps without being able to program.
As the cybersecurity company UpGuard now reports, at least 47 public institutions and companies have made mistakes when using this system, which made 38 million data records freely accessible.
The organizations affected therefore include, for example, the airline American Airlines and the freight forwarder JB Hunt, the automaker Ford and, on the government side, the Ministry of Health of Maryland and the school authority and the public transport authority of New York City.
In total, the company found more than a thousand data lists, analyzed the worst of them and informed the organizations concerned before Microsoft took this process into its own hands.
The crux with the standard setting
The variety of data discovered in these investigations ranges from names, phone numbers and email addresses of employees or customers to vaccination appointments and personal data of vaccinated persons to information about drug tests that a company has carried out on its employees .
However, it does not always seem easy for UpGuard to inform the departments affected by the data leaks.
In any case, the company describes some of its attempts to initiate contact in detail and also shows how difficult it was sometimes to get to a person in larger organizations who felt responsible for such a data leak.
In all cases, however, the databases were backed up within a short period of time.
UpGuard identifies the peculiarity of Microsoft's Power Apps that the databases in question classify all data as public by default as the cause of the data leaks.
To protect them against unauthorized access, their operators must intervene and reconfigure the system so that private information remains private.
Microsoft's explanation of how to use lists describes how to do this.
However, not all customers seem to take the corresponding passage to heart.
Microsoft response
Microsoft, on the other hand, seems to have reacted to the advice from UpGuard.
According to "The Register", the standard setting has now been changed so that the data types in question are now automatically secured against unauthorized access.
The online documentation for Power Apps explicitly states that you want to be careful when activating the so-called »OData feeds« for confidential information.
In a statement that Microsoft sent to some US media, the Windows group explains: "We take security and data protection very seriously and encourage our customers to configure their products in such a way that they best meet their data protection requirements."
mak