*Experts reveal that consumers鈥� personal data and COVID-19 vaccination records were reportedly included in the 鈥榤assive鈥� breach

Gbenga Kayode | 绿帽献妻

Estimated 38 million records from over 1,000 apps that use Microsoft’s Power Apps portals platform have been exposed, according to researchers.

绿帽献妻 gathered those records are not only jam-packed with the typical personal data, such as phone numbers and addresses, but they also include data from COVID-19 contact tracing efforts, vaccine registrations, and employee databases.

The security leak also reportedly exposed data from large companies and agencies alike, including Ford, American Airlines, logistics company JB Hunt, the Indiana Department of Health, and New York City public schools, according to Wired magazine, agency report stated.

In the nick of time, research analysts from security risk platform company UpGuard first uncovered the issue May 2021, when they found unprotected data from several Microsoft Power Apps portals online.

After investigating the matter further, UpGuard sent a vulnerability report to Microsoft late June this year.

RELATED Cyberterrorism: Hack breaches thousands of Microsoft Business accounts worldwide 鈹�Report

The researchers, report said, showed what specific pieces of data were accessible and made suggestions about what Microsoft could do to disable anonymous access to it.

Accordingly, by mid-July, Microsoft was said to have announced that the situation was under control, and that most of the data from the Power Apps portals had been made private.

Consumers luck out

In the Indiana Department of Health鈥檚 (IDOH) situation in the United States (US) alone, there were nearly 750,000 Hoosiers whose data from the state鈥檚 COVID-19 online contact tracing survey was accessed.

The information supposedly included names, addresses, emails, genders, ethnicities and races, and dates of birth.

While that might seem dire, those people were actually pretty lucky. According to an announcement made by the state, it was able to get the company that accessed the data to sign a 鈥渃ertificate of destruction.鈥�

RELATED Cybersecurity: Microsoft warns consumers against LemonDuck malware affecting Windows devices
READ ALSO: Microsoft releases 鈥榦ne-click鈥� tool to patch Exchange server vulnerability

The agreement confirms that the data was not released to any other entity and was destroyed by the company, according to report.

State Health Commissioner Kris Box, M.D., FACOG, said of the situation: 鈥淲e believe the risk to Hoosiers whose information was accessed is low.

鈥淲e do not collect Social Security information as a part of our contact tracing programme and no medical information was obtained.

鈥淲e will provide appropriate protections for anyone impacted.鈥�

Kindly Share This Story