Brief description of the story
On May 24, 2021, an UpGuard analyst discovered that the Open Data Protocols (OData) API for an organization’s Power Apps portal that contained an anonymously accessible list of data. The exposed PII included names, COVID-19 contact tracing information, vaccination appointments, Social Security numbers, employee IDs, and email addresses.
The impact and consequences of the data breach
Personally identification records were exposed and they must be threatened from those information
How the data breach occurs and the main cause of the data breach
Microsoft Power Apps is a cloud-hosted suite of services that allows organizations to create business intelligence applications. Power Apps portals allow both internal and external users to securely access data through a public website. Users can store data, create forms for users to enter data, and use APIs to retrieve data from other applications.
The service also allows users to enable OData APIs, which permit organizations to publicly display Power Apps lists. A design mishap left organizations that did not enable certain permissions vulnerable.
How to prevent this data breach attack
Limit access by anonymous users
Keep privacy for sensitive data like personal identification
Author
Posts
Viewing 0 reply threads
You must be logged in to reply to this topic. Login here