[ad_1]
The data breach, which affected American Airlines, the Maryland Department of Health and the Metropolitan Transportation Authority of New York, among others, led to the exposure of at least 38 million records, including information on employees as well as data relating to Covid-19 vaccinations, contact tracing and testing appointments, according to UpGuard, the cybersecurity company that discovered the problem.
After UpGuard privately informed Microsoft and affected organizations, the leaks were sealed and the ability to access the information was removed. But while the information was not secure, the names, social security numbers, phone numbers, dates of birth, demographic information, addresses and even the dates of the employer’s drug tests and union membership data was available to anyone with the know-how and inclination to watch, UpGuard said.
In the case of Ford Motor Co., UpGuard said, lists of loaner vehicles distributed to dealers had also been unveiled. Ford did not immediately respond to a request for comment.
It is not known which federal agencies may have been affected by the problem.
Several of the affected organizations contacted by CNN Business, including American Airlines, the Maryland Health Agency, the MTA, and the New York Department of Education, have confirmed that their systems are secure and that there is nothing to indicate their data. were poorly consulted.
Microsoft told CNN that only a small number of its customers have their systems configured to allow access to data by unauthorized viewers.
“We take security and privacy seriously, and we encourage our customers to use best practices when configuring products to best meet their privacy needs,” a Microsoft spokesperson said. in a press release. The company has since changed the software’s security settings to be more restrictive by default for some users.
“This is what has made so many organizations vulnerable to this potential problem,” Rethmeyer said, adding that “for the most part our experience was that people were very willing to want to get this on top of things quickly and fix it, and no one was aware of this was a potential safety issue. “
In a statement, American Airlines said its version of the misconfiguration affected “professional contact information for business travel managers.”
“Passenger data has not been affected,” said Andrea Koos, spokesperson for the company. “We appreciate the work security companies like UpGuard do to keep our business and our customers safe.”
Charles Gischlar, spokesperson for the Maryland Department of Health, said the agency investigated the UpGuard report and found that “there was nothing to suggest any disclosure of personally identifiable information or ‘personal health information at any time “.
A spokesperson for New York City Schools said the department is committed to protecting the privacy of its school communities and immediate steps have been taken to secure the data and prevent another leak. An MTA official told CNN that no data was stolen and the issue was resolved.
The problem can be traced back to a privacy setting in Microsoft Power Apps, a product widely used by public and private entities to share data. Some organizations, such as public health agencies, have used Power Apps to allow members of the public to access details of their own Covid-19 test results or immunization records. Other organizations have used the software for internal record keeping purposes.
By default, an access setting designed to limit the data a user can see that could have prevented leaks had been disabled, according to the UpGuard report. UpGuard said it first discovered the problem in an organization on May 24. After searching the web for similarly insecure databases and finding numerous other examples, UpGuard reported the issue to Microsoft on June 24 as a potential software vulnerability. According to the report, Microsoft responded by saying that the settings were working as expected; Microsoft did not dispute this account to CNN.
UpGuard said it began notifying affected organizations in early July, with many patching the leak within days. At the end of July, data hosted on a domain that appeared to support the use of Power Apps by U.S. government agencies was no longer public, UpGuard said.
Microsoft told CNN on Monday that it changed the default settings so that organizations using Power Apps core templates and design tools have the privacy setting enabled automatically. Microsoft told CNN that other organizations doing more complex or custom development on Power Apps will still need to enable the setting themselves. Microsoft has also released a tool to help organizations verify their settings, UpGuard said.
Microsoft declined to answer questions from CNN on whether there was a specific reason for the initial default setting. But the company said it has provided advice to developers and made documentation available that advises organizations on how to properly configure the software according to their needs.
[ad_2]
Source link