The UpGuard research team has disclosed multiple data leaks stemming from Microsoft Power App portals configured to allow public access. A total of 38 million records have been exposed.

Power Apps are used to build low-code, cloud-hosted business intelligence apps, and Power Apps portals are used to create public websites so internal and external users can gain access to an organization's data. The issue UpGuard is reporting involves the Open Data Protocol (OData) API that is designed to retrieve data from Power Apps lists, used to expose records for display on portals.

In its documentation for Power Apps portals, Microsoft warns OData feeds are public if they are misconfigured. If the correct configurations are not set and the OData feed is enabled, then list data can be freely accessed by anonymous users.

Researchers discovered this is the case for many organizations' data. On May 24, 2021, an UpGuard researcher found the OData API for a Power Apps portal had anonymously accessible list data, including personally identifiable information. A report was submitted to Microsoft on June 24.

UpGuard notified 47 organizations of exposures via the OData API involving personal data. Those affected include governmental bodies such as the state of Indiana, New York City Municipal Transportation Authority and NYC Schools, and the Maryland Department of Health, as well as private entities including American Airlines, Microsoft, and J.B. Hunt.

The types of exposed data vary depending on the portal but include personal data used for COVID-19 contact tracing, COVID-19 vaccination appointments, Social Security numbers for job applicants, employee IDs, and millions of names and email addresses.

Read UpGuard's full blog post for more information.