Microsoft Data Breach Exposes 38 Million Personal Information, Including Social Security Numbers and Vaccination Records

According to reports, 38 million personal information was mistakenly exposed onto the open internet due to a weakness in over a thousand Microsoft web applications. The personal data breached includes phone numbers, home locations, social security numbers, and COVID-19 immunization status.

The corporations and organizations impacted by the error were J.B. Hunt, American Airlines, the Maryland Department of Health, Ford, the New York City Municipal Transportation Authority, and New York City public schools.

Wired reported that the data that was accidentally released online included information from various COVID-19 contact tracing sites, vaccination sign-up forms, job application portals, and employee databases.

Microsoft’s PowerApps portal service had been used to store all of the data. The portal is a development platform that enables the creation of online or mobile applications for external use. It can be used to establish a public-facing website for services such as vaccine registration and a database for internal usage.

However, experts from security firm Upguard discovered that the backend database was accessible to anyone who could locate it in some situations.

In May, it initiated an investigation into thousands of PowerApp portals that exposed what should have been private data to the public. The firm discovered that the mistake occurred when the pre-built application programming interfaces for Power Apps were utilized for communicating with data.

According to a study issued on Monday, when an API was enabled for data interaction, the data was immediately made public. Although consumers could modify their privacy settings manually, many were ignorant and left their apps on the default setting, which meant that any data collected was automatically made publicly accessible.

“We found one of these that was misconfigured to expose data, and we thought, we’ve never heard of this, is this a one-off thing, or is this a systemic issue?” According to UpGuard’s vice president of cyber research, Greg Pollock.

“Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”

It is unlikely that any of the information discovered had previously been exposed by hackers, and Microsoft has now corrected the error.