Massive Personal Data Leak in MS Software... Estimated 38 Million Cases

Published 26 Aug.2021 13:38(KST)

Updated 15 Mar.2023 16:43(KST)

open/close

'MS Power Apps' Defect in App Development
47 Major Corporations and Government Agencies Affected

[Image source=Reuters Yonhap News]

[Asia Economy Reporter Kim Suhwan] A defect in software released by Microsoft (MS) has led to the leakage of 38 million users' personal information.

DPA news agency reported on the 25th (local time) that due to a defect in MS's recently released business software 'MS Power Apps,' users' names, addresses, phone numbers, emails, and other information were leaked in large quantities.

Additionally, information related to health, such as COVID-19 contact tracing and vaccination status, was also exposed.

Cybersecurity company UpGuard, which discovered the defect, notified MS of the risk on June 24, but claims that MS did not pay proper attention.

UpGuard added that this massive leakage occurred due to a personal information setting error in the problematic software, and that at least 47 companies and institutions were affected.

Especially, CNN reported that not only private companies using the problematic software but also government agencies experienced user personal information leaks.

The leaked list included the Maryland Department of Health, New York Metropolitan Transportation Authority, American Airlines, and Ford, and CNN reported that the personal information of their employees circulated for several months.

These companies have since strengthened security and stated to CNN that there was no evidence of personal information theft.

MS issued a statement explaining that only a small number of users had unauthorized access to data within the system and later changed the security settings of the problematic software.

[Image source=AP Yonhap News]

Meanwhile, on the same day, President Joe Biden held a meeting at the White House inviting CEOs of big tech companies to request cooperation from the private sector in the field of cybersecurity.

Satya Nadella, CEO of MS, who attended the meeting, announced that MS will invest $20 billion (approximately 23 trillion KRW) over five years to strengthen cybersecurity. Foreign media reported that this amount is four times the current scale. After the meeting, Nadella revealed on Twitter that MS will also invest $150 million (approximately 175 billion KRW) to improve cybersecurity systems in government agencies.

President Biden emphasized cooperation during the meeting, stating, "The reality is that the private sector owns and operates most of our critical infrastructure, and the federal government cannot face this challenge alone." He added, "I believe you have the authority, capability, and responsibility to raise the standards of cybersecurity," and said, "There is much work to be done."

The meeting was held amid a series of cyberattack incidents, including the ransomware attack on the largest U.S. pipeline company, Colonial Pipeline, and last year's SolarWinds hacking incident.

President Biden has recently shifted the priority of foreign policy toward responding to cyberattacks as hacking cases, including ransomware attacks, have continued against federal government and key industry companies.

Recently, he signed an executive order mandating the implementation of two-factor authentication for account logins for all U.S. government agency employees. In June, during his first meeting with Russian President Vladimir Putin, he handed over a list of 16 infrastructure sectors and warned not to target them.