Covid-19 Vaccination Statuses Part of Microsoft’s Latest Data Leak

data leak

Data leaks are a part of doing business when it comes to gathering and storing information. This is an issue as old as the internet itself, however, we’re in an unprecedented time where a whole new category of sensitive data had been introduced and now must be stored and protected, namely individuals Covid-19 vaccination status’.

Without a doubt Coronavirus has changed the way most of humanity now operates, and with any new change comes new challenges as Microsoft has recently discovered on more than a thousand web applications, using their Power Apps portals platform.

The question now becomes “to what scale was the leak?” The answer: just around 38 million records, including, according to Upguard, 332,000 email addresses as well as Microsoft employee IDs. If that’s not bad enough, it’s said to also have contained Coronavirus contact tracing information along with individuals’ home addresses, social security numbers, as well as their vaccination information, including status. On the surface, all that information may seem staggering, but at the time of this being written, it’s reported that there’s no sign as of yet that any of the exposed data has been compromised.

Microsoft provided Engadget with the following statement: “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”

The question now becomes, is it the fault of Microsoft themselves?

Not completely. The Power Apps version in question is that of Office 365, and theoretically, was a brilliant rollout. The issue started when realizing that any information the AI touched automatically became public and accessible if you simply knew where to look. It’s important to keep in mind that this all happened with the Power Apps default configuration, if you decided to manually configure the set up then you’d be able to make sure that there were certain privacy restrictions to avoid this problem altogether. In a perfect world, Microsoft should update their product to make sure that it’s ready to use “out of the box” as opposed to trying to put it off on the user as a “misconfiguration” on their end.

The “38 Million Record” question is “how to mitigate the risk of this from happening to your business?” The main thing you can do is only allow certain IP addresses access to your information, this adds another level of control and reduces the risk of any foreign entity finding a way to access it.

It’s common to find companies that aren’t fully aware of the path that their data is being sent along when in reality, the path between two locations (especially when it comes to hyper-sensitive information) is just as important as the locations themselves. Depending on which way your data center is configured it’s common that it’s either constructed in one of two ways, either security or function and often times it’s much more difficult to build in security afterward when a system wasn’t fundamentally designed with security in mind. Here at Protected Harbor everything we build is designed “security first”.

Learn about our Protected Data Center here.

For example, we keep all of our storage onsite, monitored locally, and controlled end to end with each client partitioned to keep incidents fully isolated. Imagine an apartment building, now imagine renting a studio apartment that doubles as a cold war style bunker, that’s the type of security and segmentation we offer. Based on the industry we also work to help clients procure SOC, SOC2, HIPAA, PCI certifications to further their client’s belief in them to offer a secure home for even their most delicate data.

Overall, Microsoft offers some truly incredible business tools, it’s just a matter of making sure we’re all looking under the hood prior to installing and being certain the configuration is optimal for whatever your needs may be, while also keeping in mind the importance of the path your data is taking and monitoring it throughout its journey.