What is the Microsoft data leak and how can I protect myself?

Over the past couple of weeks, you may have seen a story about a data breach affecting Microsoft in the news.

Research has shown that around 38 million records from apps using Microsoft’s Power Apps portal platform have been made available online.

The leaked data was stored in Microsoft’s Power Apps portal service, a development platform where users can create web or mobile apps to use externally. The breach affected 47 organisations in total, including American Airlines, Ford and the New York City Municipal Transportation Authority.

In an official statement, Microsoft said “we take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”

While none of the data has been compromised, it did include:

  • Full names
  • Email addresses
  • Phone numbers
  • Job titles
  • Union membership
  • Covid-19 vaccination status

In May, investigations by security company Upguard found that users’ data was made publicly accessible when enabling the platform’s application programming interface (API). This was because users had to manually enable privacy settings, leaving some apps misconfigured. Microsoft said the flaw was “by design” and closed the investigation a month later.

Security misconfiguration continues to be a major cause of cloud data leaks, forcing companies like Google Cloud Platform to take further steps to store customers’ data privately by default.

So what does this mean for Power App users, and how can they protect their data online?

How can I protect my personal data online?

Microsoft has since made sure the portal keeps data private by default. However, there are a couple of extra steps you can take to keep your data secure:

  • Keep personal data to a minimum, and consider how much data you are storing on the platform. Always ask yourself the question ‘Would you want someone to access this data?’ before sharing your personal information online.
  • Consider who, and how many, users are accessing your data, particularly if it’s for school, college, or work.
  • Set up multi-level security settings. There are four different layers of security, including app-level, form-level, and field-level. These can restrict access to the app, control how people enter or view data by their job role, and assign access to certain records. More information is available here.

Interested in finding out more about how to protect yourself online? Check out some of our other posts: