Microsoft Power Pages misconfigurations exposing sensitive data
Private businesses and public-sector organizations are unwittingly exposing millions of people's sensitive information to the public internet because they misconfigure Microsoft’s Power Pages website creation program.
So says Aaron Costello, chief of SaaS security research at security-for- SaaS vendor AppOmni, who uncovered the issue in September.
In a post published Thursday, Costello details how he uncovered "significant amounts of data" – both internal org files and personal identifiable information (PII) – left out in the open for anyone to take a look at thanks to misconfigured access controls in websites built using Power Pages.
"In one case, a large shared business service provider for the [UK National Health Service] NHS was leaking the information of over 1.1 million NHS employees, with large portions of the data including email addresses, telephone numbers, and even home addresses of the employees," he wrote.
When asked about other organizations' leaking data, Costello declined to name names. "Several million records of sensitive data were found exposed to the public internet from authorized testing alone, and both private organizations and government entities are known to be affected, including those in technology, health, and finance," he told The Register.
