Microsoft Power Apps Data Breach

Written by The Lyon Firm on August 25, 2021. Posted in Data Breach.

Thank you for considering The Lyon Firm. At this time, we are not accepting plaintiffs related to this specific consumer issue. However, if you would like to be contacted in the future, please complete the contact form. By completing the form, you will be contacted if the Firm begins accepting new cases on this matter, and you will also be included in firm news alerts related to important consumer safety and privacy issues to help keep you informed about related issues.

A Microsoft data breach has reportedly exposed almost 40 million records containing personally identifiable information (PII), Social Security numbers, employee IDs, and email addresses. The data breach has now impacted dozens of organizations across the country, including American Airlines, Ford, Maryland Department of Health, New York City Municipal Transportation Authority, and the state of Indiana.

On May 24, an UpGuard analyst discovered that the Open Data Protocols (OData) API for an organization’s Microsoft Power Apps portal that contained an anonymously accessible list of data.

On Microsoft Power Apps, users can enter, store and retrieve data from other applications. The service also allows organizations to publicly display Power Apps lists. But the software design has now left certain permissions vulnerable. When the configurations are not set properly, and the OData feed is enabled, anonymous users can access data.

The Lyon Firm is investigating Microsoft data breach claims and is actively involved in numerous data privacy cases and has experience filing data security claims on behalf of plaintiffs nationwide.

What Kind of Personal Data is Valuable?

Cybercriminals can use unique personal data for a number of fraudulent activities. Commonly stolen medical data can include:

Names
Phone Numbers
Addresses
Social Security numbers
Financial information
Health insurance IDs
Driver’s License numbers