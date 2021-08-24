Some 38 million pieces of personal data and information were made vulnerable earlier this year by a misconfiguration in Microsoft software used by various businesses and organizations. Some of this data comes from platforms for tracing contact cases of Covid-19.

Computer security firm UpGuard on Monday released an account of a multi-month investigation showing that millions of names, addresses, tax identification numbers and other confidential information have been exposed – but not compromised – before. that the problem is not solved.

47 groups involved

American Airlines, Ford, JB Hunt and communities such as the Maryland Health Authority and New York City public transport are among the 47 groups concerned. They have in common that they used software from Microsoft, Power Apps, which makes it easy to create websites and mobile applications for interaction with the public.

For example, if an institution needs to quickly set up an appointment booking portal for vaccines, this service from the IT giant provides both the public facade and data management. But until June 2021, the default software configuration did not adequately protect certain data, the UpGuard researchers explain. “Thanks to our research, Microsoft has since changed the Power Apps portals,” they say.





A risk not sufficiently taken into account

“Our tools make it possible to design solutions at scale, which meet a wide variety of needs. We take security and privacy seriously, and encourage our customers to configure products to best meet their privacy needs, ”responded a Microsoft spokesperson. The group also indicated that it systematically informed its customers when potential risks of leaks were identified, so that they could remedy them.

But according to UpGuard, it is better to change the software based on how customers use it, rather than “seeing the widespread lack of data privacy as user misconfiguration, which keeps the software going. problem and puts the public at risk ”. “The number of accounts where sensitive information was vulnerable shows that the risk associated with this feature – the likelihood and impact of a misconfiguration – had not been adequately taken into account,” they add.