Data Leak Exposes 38 Million Records From Misconfigured Access Control Setting of Microsoft Power Apps

Microsoft Power AppsOn May 24, UpGuard discovered the first company to have misconfigured a privacy setting in Microsoft Power Apps, a widely-used software to share data, which inadvertently exposed customer personal information to the public internet for months on end.

Since then, at least 47 different organizations have been affected and 38 million records exposed. 

According to UpGuard, names, social security numbers, phone numbers, dates of birth, addresses and COVID-19 vaccination records, and even dates of employer drug tests were made accessible to “anyone with the know-how and inclination to look.” Affected companies included American Airlines, Maryland’s Health Department, and the New York Metropolitan Transportation Authority. 

The vulnerability was first reported to Microsoft on June 24 by security researchers after discovering a string of similarly unsecured databases, and since then has been traced back to a misconfigured access control setting in Microsoft Power Apps that allowed sensitive data to be accessed by unauthorized users. This led to a potential security concern because by default, this setting is not restrictive.  

According to a spokesperson from UpGuard, this was “not something most organizations knew to look for in their existing security audits.” 

Though several impacted companies like Ford Motor Co. have since acted quickly to assess the risk and resolve the security issue, this data leak is a prime example of how detrimental it can be when companies misconfigure their database settings, and more so, how easy it is for organizations to skim over a critical piece of information that can jeopardize the lives of tens of millions of people. 

Let’s do our part to make the world a safer place. Learn more at


Tu Phan