COMMENT: Microsoft Power Apps data breach exposes personal details of 38 million people
August 2021 by Matt Aldridge, Lead Solutions Consultant at Webroot
The comment from Matt Aldridge, Lead Solutions Consultant at Webroot, on the matter and what businesses can do to ensure that their data is protected after the news this morning that Microsoft Power Apps has experienced a data breach meaning that 38 million people’s data has been exposed. This includes personal information such as phone numbers and COVID vaccination status, having affected global companies such as American Airlines, Ford and a range of New York City public schools, cybersecurity has never been more important.
“All organisations should be working hard to ensure that sensitive customer and employee data remains secure and protected. This is important as, in this case, the sheer amount and quality of data exposed could make for extremely targeted social engineering attacks if it were to end up in the wrong hands. For example, being able to incorporate details such as COVID vaccination status can enable cybercriminals to create exceptionally plausible phishing attacks against the employees of the organisations affected, helping fuel future attacks.
Vendors also must take responsibility for ensuring that their solutions are secure by design, and they should not expect their users to be aware of the nuances of configuring a secure solution, particularly when they are making a solution which is very easy to use for their customers. Fortunately, in this case the data exposure was found by security researchers, who responsibly disclosed the issues to those affected, but it could easily have been cybercriminals making this discovery and walking away with millions of high-quality personal data records.
From a reputation protection standpoint, being in the spotlight for data protection transgressions and data breaches is not good for business. This story serves as a reminder for all organisations to invest appropriately in data protection and cyber defences, and wherever possible to ensure that they have their approach validated by trusted independent third parties. As well as technical controls, such as next-generation anti-malware and web access security solutions, it is critical to ensure that staff are properly trained to prevent leaks, and that their skills are regularly tested.”