The MS PowerApps Fiasco

When you hear the words: “Microsoft” and “data breach” in the same sentence, chances are your eyes will widen with panic. The ubiquity of Microsoft’s software and hardware means that most organizations and people interact with the brand in one way or another. Whether it’s Teams, Office 365, or Power Apps, Microsoft is everywhere.

The breach in hand today is to do with Power Apps – but it’s not a cyber attack. This incident stems from a misconfiguration issue – an increasingly prominent risk with the rise of cloud services.

The key stat to know is that a whopping 38 million records – involving Covid-19 contact tracing information, social security numbers, names, phone numbers, and email addresses – were inadvertently exposed.

The good news is that, if you were impacted by this leak, you should already know about it. It was discovered by security researchers at UpGuard – white hats so to speak – who quickly got in contact with many companies that were affected. These included big names like Ford, American Airlines, NYC Schools and J.B. Hunt.

At this point, you’re likely thinking: how did this breach happen? What’s a misconfiguration issue? How can I make sure the same thing doesn’t happen to me? Read on to find out.

First things first, what is MS PowerApps?

Microsoft Power Apps is a prominent “low-code” tool. It’s a portal that can be used for creating tailored web or mobile apps. It’s “low-code” because it is easy and intuitive to operate. With a little training, almost anyone can create an app with MS Power Apps, which is great for encouraging innovation and productivity within enterprises.

Power Apps stores the data inputted into it in a table format. Remember this for later, as this is where the breach arose from!

Got it – so, what’s a misconfiguration?

Before we dive into this specific misconfiguration issue, let’s first define the growing risk of cloud and application misconfigurations.

It’s important to note that misconfigurations aren’t a new threat. They’re simply gaining prominence as more and more companies use cloud-based applications and collaboration tools.

A cloud misconfiguration is any cybersecurity error or gap that leaves your cloud environment – or the data stored in it – exposed to theft or loss. As a simple example, think of Google Docs. Let’s say you’ve made a spreadsheet that contains sensitive financial information. Rather than setting the document to private, you left it public. This means that anyone can access it if they have the link or stumble across it on the Internet. Not only is this a compliance risk but, if the data gets into the wrong hands, it could have serious consequences for your organization.

The thing is – cloud misconfigurations can be way more expansive than that. Whole troves of data and company information could – and have been – inadvertently exposed. To make things complex, there’s also the cloud’s shared responsibility model to consider.

Make sure you don’t make the mistake of thinking that, when your data is in the cloud, it’s completely up to the cloud provider to secure it. Sure, they’re responsible for securing the underlying infrastructure – and tend to do a good job of it – but, when it comes to access management, controlling your data and application build testing, the responsibility lies with you.

Because of this overlapping responsibility – and the complexity of cloud security – Gartner predicted, back in 2018, that 95% of all cloud security incidents would be the customer’s fault by 2020. We think the guys there might have a crystal ball – because that prediction appears to be on the money.

Gartner’s next prediction is that, “through to 2025, 99% of cloud security failures will be the customer’s fault.”… Yikes! While this is scary to consider – particularly as we’re just using the cloud more and more – knowledge is power. By learning from other organizations’ mistakes and being proactive, you can ensure cloud security isn’t your downfall.

Speaking of learning from mistakes, let’s discuss the MS Power Apps breach.

What Happened?

In May of this year, security researchers at Upguard discovered that a huge number of PowerApps portals were publicly exposing data on the Internet. As we’ve mentioned, a lot of that data was sensitive, putting the companies in question at risk of compliance fines in like with HIPPA, GDPR and state privacy laws.

Remember how we said that Power Apps is low-code? Well, that’s kind of part of the issue. The simplicity of using the tool meant that people who lacked IT and security experience could use it and, therefore, created apps that weren’t secure.

Interestingly, in this case, it wasn’t just Microsoft customers’ data that had been exposed. Upguard also found that Microsoft’s own databases were exposed in the portals – including their global payroll and customer insights data.

How was the Data Exposed?

As we’ve explored, this exposure stems from misconfiguration.

It turns out that, by default, the PowerApps portal stored the data that was in these tables – technically known as API data – publicly. What this means is that, by default, permissions were disabled, meaning that anyone could access the data in these tables.

Evidently, a huge number of customers – and perhaps Microsoft itself – never bothered to check their settings. This means that any data stored on the portal could in theory be publicly accessible on the open web — leading to an unintended data disclosure.

Power Apps is just the latest in a long line of misconfiguration incidents that led to a data breach. According to Verizon’s Data Breach Investigation Report, misconfigurations accounted for 10% of all breaches in 2020.

What You Should Do

Following the report of the leak, Microsoft has changed Power App’s default settings, so that they are not automatically public. This means that when someone starts a new project, the settings will be private – unless the user changes them.

While this is good for new projects, old projects may still be vulnerable. So, if UpGuard hasn’t come knocking on your door but you use Power Apps, it is definitely worth checking your privacy settings, and ensuring that only those who need to have access to the platform do. If you’re not sure where to start, Microsoft has released a Portal Checker tool where you can resolve your portal settings.

Of course, the issue of misconfiguration is much broader than just Power Apps. According to Verizon’s Data Breach Investigation Report, misconfigurations accounted for 10% of all breaches in 2020. We think that this leak serves as an excellent reminder to check your broader cloud configurations – and amp up your security – so that your company isn’t the next one in the headlines.

Below, we explore how.

How to Avoid This in the Future

Invest in a CASB 2.0: Cloud access security broker solutions (CASB) are the guardians of your cloud environment. Next generation solutions offer real-time visibility into the cloud. This helps you to spot and fix cloud misconfigurations in real-time. But the benefits of CASBs go way beyond just misconfiguration remediation. They can also help with access and identity management, data loss prevention and more. For an overview of CASBs, read our guide here.

Secure your data: Linking to CASBs, you want to make sure your CASB solution also offers cloud-based data loss prevention (DLP) capabilities. DLP works by encrypting sensitive data in real-time as it is shared, downloaded or uploaded. This ensures that only authorized people are able to access sensitive data.

Train your people: In an ideal world, misconfigurations wouldn’t even happen in the first place. At their core, these issues are the result of human error. This is why training is paramount. By educating your people on the tools they use – and how to use them securely – you can drastically reduce your chances of error.

Audit: Last but not least, you should get into the habit of regularly auditing your cloud environment to check for misconfigurations. This will make sure that no error slips through the cracks.


Get latest blogs delivered to your inbox