- AppOmni researchers have found a configuration error in sites built with Microsoft Power Pages
- As a result, data about millions of people leaked onto the Internet
- UK NHS among affected companies, while other companies were urged to investigate immediately
Companies in both the private and public sectors have leaked personally identifiable information (PII) of millions of people due to a glitch in a Microsoft website building platform.
Experts from AppOmni revealed the flaw stems from misconfigurations in Microsoft’s Power Pages, a low-code platform within the Microsoft Power Platform suite that allows users to build websites without having to be expert programmers.
However, due to misconfigured access controls (namely excessive permissions for the Anonymous role), many websites leaked “significant amounts of data.” That information included full names, email addresses, telephone numbers and home addresses.
NHS among those affected
Power Pages is primarily aimed at business users and developers who need to build sites that integrate with business data from sources like Microsoft Dataverse, and apparently has more than 250 million monthly users.
“During my research, I discovered several million records of sensitive data exposed to the public internet only through authorized testing,” the researcher said, suggesting the breach is likely even larger (since this was found through “authorized testing only” ). The primary nature of this data is internal organizational files and sensitive PII belonging to both internal organizational users and other users registered on the website.
Among the leakers was the NHS – Britain’s National Health Service – which allegedly leaked sensitive information of more than 1.1 million employees. The healthcare giant has since closed the gap. The researchers do not want to name other organizations that leaked the data, possibly because the holes have not yet been closed.
Misconfigured databases are one of the leading causes of data breaches. Over the years, there have been many cases where organizations maintained large archives of sensitive customer files without even a weak password, let alone a strong one.