With the internet, people are no longer tied local storage. Data becomes portable, and accessible from anywhere.
But the thing is, data that isn't stored locally, and can be accessed through the internet, requires lots of protection to prevent unwanted individuals from accessing the data.
And this time, more than a thousand of web apps have mistakenly exposed 38 million user records to the open internet, including data from a number of 'COVID-19' contact-tracing apps, as well as vaccination sign ups, job application portals, employee databases, and more.
The data that has been exposed included a range of sensitive information, from people’s phone numbers and home addresses to social security numbers, and more.
This happens because the data was stored inside Microsoft's Power Apps portal service, a development platform that makes it easy to create web or mobile apps for external use.
Even Microsoft made a mistake.
It all started back in May, when researchers from the security firm Upguard began investigating a large number of Power Apps portals that publicly exposed data that should have been private, which apparently also included some Power Apps that Microsoft made for its own purposes.
The issue happened on the very foundation of the Power Apps platform.
On their report, the researchers explained that when Power Apps' ready-made application programming interface (API) is enabled, the platform would default the corresponding data to publicly accessible.
Enabling privacy settings was a manual process.
Because of this, many Power Apps users, even Microsoft itself, misconfigured their apps by leaving the insecure default.
Microsoft has addressed the issue, shortly after the discovery.
Fortunately, none of the data is known to have been compromised. But still, the discovery is significant.
The incident affected major companies and organizations, including American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, New York's Department of Education, New York City public schools and more.
At least 47 organizations had been unknowingly exposing their information due to the misconfiguration
When storing data inside the clouds, customers are simply renting the space, and outsource the job so they don't have to deal with the technical details of things.
However, the task to protect the data, is still on the customers' hands.
Misconfiguration of cloud-based databases has been a serious issue over the years, and have had exposed huge quantities of data to inappropriate access or theft.
Major cloud companies like Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure have all taken steps to store customers' data privately and flag potential misconfigurations.
"We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs," a Microsoft spokesperson said in a statement.
But issues can still happen.
The researchers at Upguard have been studying cloud misconfigurations and data exposures for years. But this time, they were still surprised to to discover those issues in a platform they'd never seen before.
“We found one of these that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” said Greg Pollock, UpGuard's Vice President of Cyber Research.
“Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”