Exposed data includes phone numbers, home addresses, social security numbers, and COVID-19 vaccination statuses, from a range of sources including employee databases, job application indexes, and contact tracing platforms. It’s certainly far from the biggest data exposure in recent months, but this is a high-profile one, with affected companies including big names like American Airlines, Ford, and the New York City Municipal Transportation Authority.

How Did It Happen?

A Power Apps portal essentially helps an organization launch a quick pre-fab web application that can handle user sign-ups and maintain a database of information. In the world of website design, that’s one of the pricier types of sites. Particularly since the COVID-19 pandemic began around March 2020, these web apps have been in high demand. In May 2021, Wired magazine reports, researchers at the security firm UpGuard spotted a number of Microsoft Power Apps portals that were exposing data that should have stayed private — one core API would expose data by default, and most customers weren’t manually correcting this in order to keep their database private. The portal design has since been tweaked to fix the issue.

“It Was Wild”

There’s no evidence that any bad actors noticed and took advantage by stealing it, but it’s not a great look for a service with as much brand authority as Microsoft. It even surprised the researchers who uncovered the problem: There are a few takeaways here. First, some of the issue may be chalked up to the rapid growth of online infrastructure due to 2020’s sudden shift to remote work. More importantly, though, it’s a reminder that the buck stops with cloud providers when it comes to making their default as secure as possible: Sure, the Power Apps customers could have tweaked the default API, but they shouldn’t be expected to. Perhaps the biggest takeaway of all, however, is that even the biggest names in internet services won’t keep your data safe all the time. And as great as a password manager or a VPN is, this is one case in which your social security number is out of your hands. But, uh, happy Monday!