The data leak, which affected American Airlines, Maryland’s health department and New York’s Metropolitan Transportation Authority, among others, led to the exposure of at least 38 million records, including employee information as well as data related to Covid-19 vaccinations, contact tracing and testing appointments, according to UpGuard, the cybersecurity firm that uncovered the issue.
After UpGuard privately notified Microsoft and the affected organizations, the leaks were plugged and the ability to access the information removed. But while the information was unsecured, names, Social Security numbers, phone numbers, dates of birth, demographic information, addresses and even dates of employer drug tests and union membership data were available to anyone with the know-how and inclination to look, said UpGuard.
In the case of Ford Motor Co., UpGuard said, lists of loaner vehicles distributed to dealerships had also been exposed.
“When we learned about the issue, we acted quickly to assess the risk (low) and close the gap,” Ford spokesman T.R. Reid told CNN Business. “There was no breach of sensitive personal information.”
It is unclear which federal agencies may have been affected by the issue.
Several of the impacted organizations contacted by CNN Business, including American Airlines, the Maryland health agency, the MTA and New York’s Department of Education, confirmed that their systems have been secured and that there is no indication their data was improperly accessed.
Microsoft told CNN that only a small number of its customers had configured their systems in a way that allowed data to be accessed by unauthorized viewers.
“We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs,” a Microsoft spokesperson said in a statement. The company has since altered the software’s security settings so that it is more restrictive by default for some users.
“That’s what made so many organizations vulnerable to this potential problem,” Rethmeyer said, adding that “for the most part, our experience was people were very amenable to wanting to get on top of this quickly and correct it, and nobody was aware this was a potential security concern.”
In a statement, American Airlines said its version of the misconfiguration affected “business contact information pertaining to corporate travel managers.”
“Passenger data was not impacted,” said company spokesperson Andrea Koos. “We appreciate the work security companies such as UpGuard perform to keep our business and customers safe.”
Charles Gischlar, a spokesperson for Maryland’s health department, said the agency investigated the UpGuard report and found that “there was nothing to suggest any kind of disclosure of personal identifiable information or personal health information at any point.”
A spokesperson for New York City schools said the department is committed to protecting the privacy of its school communities, and that steps were immediately taken to secure the data and to prevent another leak. An MTA official told CNN no data was stolen and the issue was fixed.
The issue traces back to a privacy setting in Microsoft Power Apps, a product widely used by public and private entities to share data. Some organizations, such as public health agencies, have used Power Apps to allow members of the public to access details of their own Covid-19 test results or vaccination records. Other organizations used the software for internal record-keeping purposes.
By default, an access setting designed to limit what data a user can see and that could have prevented the leaks had been set to off, according to UpGuard’s report. UpGuard said it first discovered the issue in one organization on May 24. After scanning the web for similarly unsecured databases and finding numerous other examples, UpGuard reported the issue to Microsoft on June 24 as a potential software vulnerability. According to the report, Microsoft responded saying the settings were working as designed; Microsoft did not dispute that account to CNN.
UpGuard said it began notifying affected organizations in early July, with many plugging the leak within days. By the end of July, data hosted on a domain that appeared to support US government agencies’ use of Power Apps was no longer public, UpGuard said.
Microsoft told CNN Monday that it has changed the default settings so that organizations using Power Apps’ basic templates and design tools will have the privacy setting enabled automatically. Microsoft told CNN that other organizations doing more complex or custom development on Power Apps will still need to enable the setting themselves. Microsoft has also released a tool to help organizations verify their settings, UpGuard said.
Microsoft declined to answer CNN’s questions about whether there was a specific reason for the initial default setting. But the company said it has provided guidance to developers and made documentation readily available that advises organizations on how to properly configure the software according to their needs.