- This topic has 0 replies, 1 voice, and was last updated 1 year, 7 months ago by Tanatorn Tilkanont.
-
AuthorPosts
-
-
2022-10-02 at 11:40 pm #38501Tanatorn TilkanontParticipant
Microsoft Data Breach Exposes 38M Records Containing PII
https://healthitsecurity.com/news/microsoft-data-breach-exposes-38m-records-containing-pii1.Provide a brief description of the story.
“A Microsoft Power Apps data breach exposed 38 million records containing personally identifiable information (PII), according to a report from cybersecurity company UpGuard. The data breach impacted 47 organizations across multiple industries, including some governmental public health agencies.” – Jill McKeon, August 24, 2021.
Microsoft Power Application is a cloud service that permits organizations to create their own business applications. Power Apps allow internal and external users to access data via public websites. The service allows users to enable Open Data Protocols (OData) API, which lets organizations publicly display the Power Apps list. However, if this configuration did not set, the anonymous users are permitted to access data easily. This causes PII exposure, including names, COVID-19 contact tracing information, vaccination appointments, Social Security numbers, employee IDs, and email addresses. After investigation, Microsoft set table permission by default to prevent end-user misconfiguration and provide a tool for self-diagnose customer portals.2. What is/are the impact of this data breach? Consequences of the data breach.
This data breach impacted various organizations, including American Airlines, Ford, Maryland Department of Health, New York City Municipal Transportation Authority, and the state of Indiana. The PII data such as names, COVID-19 contact tracing information, vaccination appointments, Social Security numbers, employee IDs, and email addresses are exposed. This data breach caused a large impact on both organizations and individual people. Affected organizations may have to pay for damages to affected individuals. The image of organizations on safety and protection is lost. The individuals may not trust the affected organizations. Not just the organization, but also individual persons are impacted by data breach. This attack caused damage to people, their finances, and their physical and mental well-being. Data breach, esp. PII could lead to cause cybercrime.3. How did the data breach occur?
Table/database permission configuration was not set by end users, so Open Data Protocols (OData) APIs were enabled, allowing anonymous accessibility. Therefore, anonymous users expose to sensitive data containing personally identifiable information.4. What should be the main cause of the data breach? Provide a brief explanation of the cause of data breach, such as phishing, ransomware, HIPAA violation, database misconfiguration, human error, third-party vendor error)?
Human error is the main cause of this data breach since the end-user was not set the configuration, OData enabled, and allow anonymous users to access data. The design by Microsoft Power Apps is also another cause that may bring human error. Thus, Microsoft performed preventive action by setting the configuration as default to avoid vulnerability.5.How could you prevent this data breach attack?
To prevent this data breach attack, we need the IT officer to recheck and maintain the system using Microsoft self-diagnostic tools for table or data permission. The end-user should be aware of the configuration unless this configuration was set by default.
-
-
AuthorPosts
You must be logged in to reply to this topic. Login here