Massive Microsoft data leak puts 38 million records at risk

Photo (c) anyaberkut - Getty Images

Personal data and vaccination records were reportedly included in the breach

According to researchers, an estimated 38 million records from more than 1,000 apps that use Microsoft's Power Apps portals platform have been exposed. Those records are not only jam-packed with the typical personal data like phone numbers and addresses, but it also includes data from COVID-19 contact tracing efforts, vaccine registrations, and employee databases.

The security leak also reportedly exposed data from large companies and agencies alike, including Ford, American Airlines, logistics company JB Hunt, the Indiana Department of Health, and New York City public schools, according to Wired magazine. 

Caught in the nick of time

Research analysts from security risk platform company UpGuard first uncovered the issue in May when they found unprotected data from several Microsoft Power Apps portals online.

After investigating the matter further, UpGuard sent a vulnerability report to Microsoft in late June. The researchers showed what specific pieces of data were accessible and made suggestions about what Microsoft could do to disable anonymous access to it. 

By mid-July, Microsoft said it had the situation under control and that most of the data from the Power Apps portals had been made private.

Indiana consumers luck out 

In the Indiana Department of Health’s (IDOH) situation alone, there were nearly 750,000 Hoosiers whose data from the state’s COVID-19 online contact tracing survey was accessed. The information supposedly included names, addresses, emails, genders, ethnicities and races, and dates of birth.

While that might seem dire, those people were actually pretty lucky. According to an announcement made by the state, it was able to get the company that accessed the data to sign a “certificate of destruction.” The agreement confirms that the data was not released to any other entity and was destroyed by the company.

“We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” said State Health Commissioner Kris Box, M.D., FACOG. “We will provide appropriate protections for anyone impacted.”

Take an Identity Theft Quiz. Get matched with an Authorized Partner.