Published Date: 2021-08-23
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in May 2021 [Article 117824]. 2. The incident was discovered on May 24, 2021 [Article 117824]. 3. The incident was reported to Microsoft on June 24, 2021 [Article 117824]. |
| System | 1. Microsoft Power Apps portal service [Article 117845, Article 117824] 2. Misconfigured setting in Microsoft software [Article 117845, Article 117848] |
| Responsible Organization | 1. Dozens of major companies, state and federal agencies, and other organizations misconfigured a setting in their Microsoft software, leading to the exposure of millions of people's personal information [117845, 117824]. 2. The misconfiguration in Microsoft Power Apps, a product widely used by public and private entities, allowed for the exposure of sensitive data [117824]. 3. Microsoft itself exposed databases in its own Power Apps portals due to misconfigurations [117824]. |
| Impacted Organization | 1. American Airlines [Article 117845, Article 117824, Article 117848] 2. Maryland’s health department [Article 117845, Article 117824, Article 117848] 3. New York’s Metropolitan Transportation Authority (MTA) [Article 117845, Article 117824, Article 117848] 4. Ford Motor Co. [Article 117845, Article 117824] 5. J.B. Hunt [Article 117824] 6. New York City Department of Education [Article 117845] 7. State government of Indiana [Article 117824] |
| Software Causes | 1. Misconfigured setting in Microsoft software, specifically in Microsoft Power Apps, which allowed unauthorized access to data [117845, 117824, 117848] 2. Default privacy settings in Power Apps portals that made data publicly accessible if not manually configured [117824] 3. Lack of proper configuration and oversight in managing cloud-based databases, leading to data exposure [117824] |
| Non-software Causes | 1. Misconfiguration of a setting in Microsoft software led to the exposure of personal information due to human error [117845, 117824, 117848]. 2. Lack of awareness about the potential security concern among organizations contributed to the vulnerability [117845]. 3. Failure to identify the issue in existing security audits due to the problem not being previously identified [117845]. 4. Default privacy settings in Microsoft Power Apps were not secure, leading to data exposure [117824, 117848]. 5. Manual process required to enable privacy settings in Power Apps, leading to misconfigurations [117824]. 6. Oversight in the design of Power Apps portals that allowed data to be publicly accessible [117824]. 7. Lack of secure and private defaults in cloud-based databases [117824]. 8. Inadequate prioritization of addressing misconfigurations and data exposures in the industry until fairly recently [117824]. |
| Impacts | 1. The software failure incident led to the exposure of at least 38 million records, including sensitive personal information such as names, Social Security numbers, phone numbers, dates of birth, demographic information, addresses, and even dates of employer drug tests and union membership data [Article 117845, Article 117848]. 2. Organizations like American Airlines, Ford, J.B. Hunt, Maryland Department of Health, New York City Municipal Transportation Authority, and New York City public schools were affected, exposing data from Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases [Article 117824]. 3. The incident affected both public and private entities that had misconfigured their Microsoft Power Apps, leading to inadvertent exposure of data that should have been private [Article 117824, Article 117848]. 4. The exposed data was stored in Microsoft's Power Apps portal service, and the incident highlighted the consequences of one bad configuration setting in a popular platform [Article 117824]. 5. The impacted organizations took immediate action to secure their systems and prevent unauthorized access to the exposed data [Article 117845, Article 117848]. |
| Preventions | 1. Properly configuring the privacy settings in Microsoft Power Apps to limit data access could have prevented the software failure incident [117845, 117824, 117848]. 2. Ensuring that default settings in software platforms prioritize privacy and security by default could have helped prevent the exposure of sensitive data [117824, 117848]. 3. Conducting regular security audits and checks to identify misconfigurations and vulnerabilities in software systems could have detected and prevented the issue [117845, 117824, 117848]. 4. Promptly addressing and fixing misconfigurations once identified, as done by UpGuard when notifying Microsoft and affected organizations, could have mitigated the risk of data exposure [117845, 117824, 117848]. 5. Providing clear guidance and best practices to organizations on how to configure software products securely according to their privacy needs could help prevent similar incidents in the future [117845, 117848]. |
| Fixes | 1. Properly configuring the privacy settings in Microsoft Power Apps to limit data access and prevent leaks [Article 117845, Article 117824, Article 117848]. 2. Implementing secure default settings in Power Apps portals to store API data and other information privately [Article 117824]. 3. Encouraging organizations to use best practices when configuring products to meet their privacy needs [Article 117845]. 4. Providing guidance to developers and making documentation readily available to advise organizations on how to configure the software properly according to their needs [Article 117845]. 5. Changing the default settings in Power Apps to be more restrictive by default for some users [Article 117845]. 6. Releasing a tool to help organizations verify their settings and ensure proper configuration [Article 117824, Article 117848]. | References | 1. UpGuard [Article 117845, Article 117824] 2. Microsoft [Article 117845, Article 117824] 3. Various organizations affected by the software failure incident, such as American Airlines, Ford, J.B. Hunt, Maryland Department of Health, New York City Municipal Transportation Authority, New York City public schools, etc. [Article 117824, Article 117848] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - Microsoft's Power Apps software misconfiguration incident affected various organizations, including American Airlines, Maryland's health department, New York's Metropolitan Transportation Authority, Ford Motor Co., J.B. Hunt, the state government of Indiana, and even Microsoft itself [117845, 117824, 117848]. - The incident involved the exposure of sensitive personal information due to a misconfiguration setting in Microsoft's Power Apps, leading to the inadvertent exposure of millions of people's data to the public internet [117845, 117824, 117848]. - Microsoft has since altered the software's security settings to be more restrictive by default for some users and released a tool to help organizations verify their settings [117845, 117824, 117848]. (b) The software failure incident having happened again at multiple_organization: - The incident affected more than a thousand web apps, exposing 38 million records, including data from Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases [117824]. - Organizations affected by the incident included American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools [117824]. - The exposure of data was due to a misconfiguration in Microsoft's Power Apps portal service, which made the data publicly accessible when privacy settings were not enabled [117824]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase occurred due to a misconfiguration setting in Microsoft Power Apps, a product widely used by public and private entities to share data. The default access setting that could have prevented the leaks was set to off, allowing unauthorized viewers to access sensitive information. This misconfiguration led to the exposure of at least 38 million records, including personal information such as names, Social Security numbers, phone numbers, dates of birth, addresses, and more [Article 117845, Article 117824]. (b) The software failure incident related to the operation phase occurred as dozens of major companies, state and federal agencies, and other organizations misconfigured a setting in their Microsoft software, inadvertently exposing millions of people's personal information to the public internet for months. The data leak affected organizations like American Airlines, Maryland's health department, and New York's Metropolitan Transportation Authority. However, after being notified, the affected organizations secured their systems, and there was no indication that the data was improperly accessed [Article 117845]. |
| Boundary (Internal/External) | within_system, outside_system | (a) The software failure incident reported in the articles was primarily within the system. The incident was caused by misconfigurations in Microsoft software, specifically in Microsoft Power Apps, which led to the exposure of sensitive data from various organizations [117845, 117824, 117848]. The misconfiguration of a privacy setting within the software allowed unauthorized access to personal information, including names, Social Security numbers, phone numbers, dates of birth, addresses, and more. This issue originated from how the software was configured internally, leading to the inadvertent exposure of data to the public internet. (b) Additionally, the incident also involved contributing factors that originated from outside the system. While the misconfigurations were internal to the software itself, the exposure of the data to the public internet meant that external entities, such as security researchers like UpGuard, were able to identify and report the issue to Microsoft and the affected organizations [117845, 117824, 117848]. The external exposure of the data highlighted the impact of the misconfigurations on a larger scale, affecting millions of individuals and organizations beyond the immediate system boundaries. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident in the articles was primarily caused by a misconfiguration setting in Microsoft Power Apps, a product widely used by organizations to share data [117845, 117824, 117848]. - The misconfiguration setting in Power Apps allowed data to be accessed by unauthorized viewers, leading to the exposure of sensitive information such as names, Social Security numbers, phone numbers, dates of birth, addresses, and more [117845, 117824, 117848]. - The default access setting in Power Apps that could have prevented the leaks was set to off, making the data publicly accessible [117824]. - The incident exposed millions of records, including data related to Covid-19 vaccinations, contact tracing, testing appointments, and employee information [117845, 117824, 117848]. - UpGuard, the cybersecurity firm that uncovered the issue, discovered the misconfiguration in one organization on May 24 and subsequently found numerous other examples of unsecured databases [117824]. - Microsoft has since altered the software's security settings to be more restrictive by default for some users and released a tool to help organizations verify their settings [117845, 117824, 117848]. (b) The software failure incident occurring due to human actions: - The misconfiguration setting in Microsoft Power Apps that led to the data leak was a result of human actions, specifically organizations misconfiguring the access settings in the software [117845, 117824, 117848]. - UpGuard notified Microsoft and the affected organizations about the issue, prompting them to plug the leaks and remove unauthorized access to the information [117845]. - The incident highlighted the consequences of one bad configuration setting in a popular platform, emphasizing the importance of secure default settings and proper configuration by users [117824]. - Several major companies and organizations, including American Airlines, Ford, J.B. Hunt, and state agencies like the Maryland Department of Health and New York City public schools, were affected by the misconfiguration issue [117824, 117848]. - Microsoft has taken steps to address the issue by changing default settings and providing guidance to developers on proper configuration [117845, 117824, 117848]. |
| Dimension (Hardware/Software) | software | (a) The articles do not mention any hardware-related issues that contributed to the software failure incident. Therefore, there is no information available about hardware-related factors contributing to the incident. (b) The software failure incident reported in the articles was due to misconfigurations in Microsoft software, specifically in Microsoft Power Apps. The misconfiguration of a privacy setting in Power Apps led to the exposure of sensitive data from various organizations, including American Airlines, Maryland's health department, New York's Metropolitan Transportation Authority, Ford Motor Co., and others. This misconfiguration allowed unauthorized access to personal information such as names, Social Security numbers, phone numbers, dates of birth, addresses, and more. The incident exposed at least 38 million records, including data related to Covid-19 vaccinations, contact tracing, and testing appointments [117845, 117824, 117848]. |
| Objective (Malicious/Non-malicious) | non-malicious | (a) The software failure incident described in the articles was non-malicious. It was caused by misconfigurations in Microsoft software that inadvertently exposed millions of people's personal information to the public internet. The incident affected various organizations, including American Airlines, Maryland's health department, New York's Metropolitan Transportation Authority, Ford Motor Co., J.B. Hunt, and others. The exposure of sensitive data like names, Social Security numbers, phone numbers, dates of birth, and more was a result of unintentional misconfigurations in the software settings [Article 117845, Article 117824, Article 117848]. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | (a) The intent of the software failure incident: - The software failure incident was primarily due to poor_decisions, specifically misconfigurations in Microsoft software that inadvertently exposed millions of people's personal information to the public internet for months [117845, 117824, 117848]. - The misconfiguration of a setting in Microsoft Power Apps, a widely used development platform, led to the exposure of sensitive data including names, Social Security numbers, phone numbers, dates of birth, addresses, and more [117845, 117824]. - UpGuard, the cybersecurity firm that uncovered the issue, found that at least 47 organizations had unknowingly exposed their information due to the misconfiguration, highlighting the impact of poor decisions in configuring the software [117845, 117824]. - Microsoft acknowledged that only a small number of its customers had configured their systems in a way that allowed unauthorized access to data, indicating that the failure was a result of poor decisions made during the configuration process [117845]. - The incident affected major companies, state and federal agencies, and other organizations, emphasizing the widespread consequences of the misconfigurations in the Microsoft software [117845, 117824, 117848]. (b) The intent of the software failure incident: - The software failure incident can also be attributed to accidental_decisions, as organizations inadvertently exposed sensitive data due to mistakes or unintended decisions in configuring the Microsoft software [117845, 117824, 117848]. - UpGuard's discovery of the misconfigurations in Microsoft Power Apps was accidental, as they stumbled upon one misconfigured organization and then realized the systemic issue affecting numerous organizations [117824]. - The default setting in Power Apps portals that made data publicly accessible was an unintended consequence, leading to the exposure of a wide range of sensitive information [117824]. - Microsoft's response to the incident, including changing default settings and providing tools to verify settings, indicates a recognition of the unintended consequences of the initial configuration choices [117824, 117848]. - The incident highlights the importance of secure default settings to prevent unintentional exposure of data, emphasizing the need for cloud providers to offer secure and private defaults to avoid such accidental data leaks [117824]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident occurring due to development incompetence: - The incident of data leak affecting major companies and organizations, including American Airlines, Maryland’s health department, and New York’s Metropolitan Transportation Authority, was caused by misconfiguring a setting in Microsoft software, leading to the exposure of at least 38 million records [Article 117845]. - The misconfiguration in Microsoft Power Apps, a widely used product, allowed data to be accessed by unauthorized viewers due to a default access setting designed to limit data visibility being set to off [Article 117845]. - UpGuard discovered the issue in one organization on May 24 and reported it to Microsoft on June 24 as a potential software vulnerability. Microsoft responded that the settings were working as designed, indicating a lack of awareness or action regarding the potential security concern [Article 117845]. (b) The software failure incident occurring accidentally: - More than a thousand web apps mistakenly exposed 38 million records on the open internet, including sensitive data from Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases. This exposure was due to a misconfiguration in Microsoft's Power Apps portal service, where enabling APIs defaulted to making data publicly accessible, leading to accidental exposure of data [Article 117824]. - The incident highlighted how one bad configuration setting in a popular platform like Power Apps can have far-reaching consequences, indicating an accidental oversight in the design of the platform that has since been fixed [Article 117824]. |
| Duration | temporary | (a) The software failure incident in the articles was temporary. The incident occurred due to misconfigurations in Microsoft software, specifically in Microsoft Power Apps, which inadvertently exposed millions of people's personal information to the public internet for months. Security researchers discovered the issue and notified Microsoft and the affected organizations, leading to the leaks being plugged and access to the information removed [117845, 117824, 117848]. (b) The software failure incident was not permanent as it was caused by specific misconfigurations in the software that allowed unauthorized access to sensitive data. Once the issue was identified, steps were taken to rectify the misconfigurations and secure the data, indicating that the failure was not a permanent state but rather a result of specific circumstances [117845, 117824, 117848]. |
| Behaviour | omission, value | (a) crash: The incident did not involve a system crash where the system loses state and stops performing its intended functions [117845, 117824, 117848]. (b) omission: The software failure incident involved omission where the system omitted to perform its intended functions by misconfiguring a setting in Microsoft software, leading to the exposure of personal information [117845, 117824, 117848]. (c) timing: The incident did not involve a timing failure where the system performed its intended functions correctly but at the wrong time [117845, 117824, 117848]. (d) value: The software failure incident involved a value failure where the system performed its intended functions incorrectly by exposing sensitive personal information due to misconfiguration [117845, 117824, 117848]. (e) byzantine: The incident did not involve a byzantine failure where the system behaved erroneously with inconsistent responses and interactions [117845, 117824, 117848]. (f) other: The behavior of the software failure incident can be categorized as a misconfiguration leading to unintended exposure of sensitive data due to a setting error in Microsoft software [117845, 117824, 117848]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | The consequence of the software failure incident described in the articles is mainly related to the exposure of sensitive personal information due to misconfigured settings in Microsoft software. This led to the potential risk of unauthorized access to personal data, including names, Social Security numbers, phone numbers, dates of birth, addresses, and other sensitive information. However, there were no reported consequences such as death, physical harm, impact on basic needs, property loss, or delays due to the software failure incident. The incident primarily focused on data exposure and potential privacy breaches ([117845], [117824], [117848]). |
| Domain | information, transportation, health, government | The failed system in the software failure incident was related to multiple industries. Here is the breakdown based on the information from the articles: (a) information: The incident involved the exposure of personal information, including employee data, Covid-19 vaccination details, contact tracing information, and testing appointments [117845, 117824, 117848]. (b) transportation: Organizations like American Airlines and the New York Metropolitan Transportation Authority were affected by the data leak incident [117845, 117824, 117848]. (j) health: The Maryland Department of Health was one of the organizations impacted by the misconfiguration of the Microsoft software, leading to the exposure of sensitive data related to health information [117845, 117824, 117848]. (l) government: The incident affected state and federal agencies, such as the Maryland health department, and potentially other government entities that were not specifically mentioned in the articles [117845, 117824, 117848]. Therefore, the failed system was intended to support industries related to information, transportation, health, and government. |
Article ID: 117845
Article ID: 117824
Article ID: 117848