Microsoft said it has let customers know when potential security risks are discovered so that they can solve the problem on their own.
Krisztian Bocsi / Bloomberg
Security company UpGuard said on Monday that approximately 38 million records (including private information) stored on Microsoft services this year were mistakenly exposed.
According to a digital security company’s investigation, data including names, addresses, financial information and Covid-19 vaccination status are vulnerable to attack, but not compromised until the problem is resolved.
Among the 47 affected organizations are American Airlines, Ford, JB Hunt, and public agencies such as the Maryland Department of Health and the New York City Public Transportation System.
They all use a Microsoft product called Power Apps, which allows the creation of websites and mobile applications to interact with the public.
UpGuard stated that the service’s default software configuration settings mean that the affected organization’s data will not be protected until June 2021.
The report said: “As a result of this research project, Microsoft has made changes to the Power Apps portal.”
Microsoft said it has let customers know when potential security risks are discovered so that they can solve the problem on their own.
“We attach great importance to security and privacy, and we encourage customers to use best practices when configuring products in a way that best meets their privacy needs,” a spokesperson said.
But UpGuard stated that it is better to change the way the software works at the source and based on how customers use it, rather than “marking the loss of systematic data confidentiality as an end-user configuration error so that the problem persists.”
