Thousands of apps and portals that use Microsoft’s Power Apps platform mistakenly leaked about 38 million confidential records and left them exposed for months on the open internet, a new report says.
The leaked data included job applicants' social security numbers, employee IDs, millions of names and email addresses as well as personal information used for Covid-19 contact tracing and vaccination appointments, UpGuard said in Monday's report.
Power Apps is a suite of apps, services and connectors as well as a data platform that provides a development environment for building custom applications for businesses.
“This research presents an example of a larger theme, which is how to manage third-party risks [and exposures] posed by platforms that don't slot neatly into vulnerability disclosure programmes as we know them today,” UpGuard said.
The company said it has notified 47 affected entities so far. These include government institutions in Indiana, Maryland and New York City as well as private companies like American Airlines, JB Hunt and Microsoft.
Founded in 2012, Upguard helps businesses manage cybersecurity risk.
Using Power Apps, customers can quickly build customised business apps that connect to their data stored either in the underlying data platform or in various online and on-premises data sources such as SharePoint, Microsoft 365 and Dynamics 365.
Microsoft did not immediately respond to The National's request for comment.
The main Power Apps marketing page lists the ability to access “your data either anonymously or through commercial authentication” as one of the top features.
“Our conversations with the entities we notified suggested the same conclusion … multiple government bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicised as a data security concern before,” UpGuard said in its findings.
It revealed that in cases like compromised registration pages for Covid-19 vaccinations, there are data types that should be public (like the locations of vaccination sites and available appointment times) as well as sensitive data that should be private, like the personal information of the people being vaccinated.
The increase in cyber threats has led to a surge in global spending on cyber security, which is forecast to rise about 125 per cent to $363.05 billion by 2025 from 2019, research consultancy Mordor Intelligence said.
In March, cyber espionage group Hafnium reportedly exploited Microsoft's widely used email and calendar Exchange server, breaching more than 30,000 commercial and local government entities in the US.
MORE ON IRAN'S PROXY WARS
'Tell the Machine Goodnight' by Katie Williams
Penguin Randomhouse
Key facilities
- Olympic-size swimming pool with a split bulkhead for multi-use configurations, including water polo and 50m/25m training lanes
- Premier League-standard football pitch
- 400m Olympic running track
- NBA-spec basketball court with auditorium
- 600-seat auditorium
- Spaces for historical and cultural exploration
- An elevated football field that doubles as a helipad
- Specialist robotics and science laboratories
- AR and VR-enabled learning centres
- Disruption Lab and Research Centre for developing entrepreneurial skills
Dhadak 2
Director: Shazia Iqbal
Starring: Siddhant Chaturvedi, Triptii Dimri
Rating: 1/5
Everything Now
Arcade Fire
(Columbia Records)
Why are asylum seekers being housed in hotels?
The number of asylum applications in the UK has reached a new record high, driven by those illegally entering the country in small boats crossing the English Channel.
A total of 111,084 people applied for asylum in the UK in the year to June 2025, the highest number for any 12-month period since current records began in 2001.
Asylum seekers and their families can be housed in temporary accommodation while their claim is assessed.
The Home Office provides the accommodation, meaning asylum seekers cannot choose where they live.
When there is not enough housing, the Home Office can move people to hotels or large sites like former military bases.
Infiniti QX80 specs
Engine: twin-turbocharged 3.5-liter V6
Power: 450hp
Torque: 700Nm
Price: From Dh450,000, Autograph model from Dh510,000
Available: Now
GAC GS8 Specs
Engine: 2.0-litre 4cyl turbo
Power: 248hp at 5,200rpm
Torque: 400Nm at 1,750-4,000rpm
Transmission: 8-speed auto
Fuel consumption: 9.1L/100km
On sale: Now
Price: From Dh149,900
The%20specs
%3Cp%3E%3Cstrong%3EEngine%3A%3C%2Fstrong%3E%201.8-litre%204-cyl%20turbo%0D%3Cbr%3E%3Cstrong%3EPower%3A%20%3C%2Fstrong%3E190hp%20at%205%2C200rpm%0D%3Cbr%3E%3Cstrong%3ETorque%3A%3C%2Fstrong%3E%20320Nm%20from%201%2C800-5%2C000rpm%0D%3Cbr%3E%3Cstrong%3ETransmission%3A%20%3C%2Fstrong%3ESeven-speed%20dual-clutch%20auto%0D%3Cbr%3E%3Cstrong%3EFuel%20consumption%3A%3C%2Fstrong%3E%206.7L%2F100km%0D%3Cbr%3E%3Cstrong%3EPrice%3A%3C%2Fstrong%3E%20From%20Dh111%2C195%0D%3Cbr%3E%3Cstrong%3EOn%20sale%3A%20%3C%2Fstrong%3ENow%3C%2Fp%3E%0A
EA%20Sports%20FC%2024
%3Cp%3EDeveloper%3A%20EA%20Vancouver%2C%20EA%20Romania%3Cbr%3EPublisher%3A%20EA%20Sports%3Cbr%3EConsoles%3A%20Nintendo%20Switch%2C%20PlayStation%204%26amp%3B5%2C%20PC%20and%20Xbox%20One%3Cbr%3ERating%3A%203.5%2F5%3C%2Fp%3E%0A
AI traffic lights to ease congestion at seven points to Sheikh Zayed bin Sultan Street
The seven points are:
Shakhbout bin Sultan Street
Dhafeer Street
Hadbat Al Ghubainah Street (outbound)
Salama bint Butti Street
Al Dhafra Street
Rabdan Street
Umm Yifina Street exit (inbound)
MATCH INFO
Quarter-finals
Saturday (all times UAE)
England v Australia, 11.15am
New Zealand v Ireland, 2.15pm
Sunday
Wales v France, 11.15am
Japan v South Africa, 2.15pm
