Data leak exposes tens of millions of private records from

The data leak, which affected American Airlines, Maryland’s health department and New York’s Metropolitan Transportation Authority, among others, led to the exposure of at least 38 million records, including employee information as well as data related to Covid-19 vaccinations, contact tracing and testing appointments, according to UpGuard, the cybersecurity firm that uncovered the issue.

After UpGuard privately notified Microsoft and the affected organizations, the leaks were plugged and the ability to access the information removed. But while the information was unsecured, names, Social Security numbers, phone numbers, dates of birth, demographic information, addresses and even dates of employer drug tests and union membership data were available to anyone with the know-how and inclination to look, said UpGuard.

In the case of Ford Motor Co., UpGuard said, lists of loaner vehicles distributed to dealerships had also been exposed.

“When we learned about the issue, we acted quickly to assess the risk (low) and close the gap,” Ford spokesman T.R. Reid told CNN Business. “There was no breach of sensitive personal information.”

It is unclear which federal agencies may have been affected by the issue.

Several of the impacted organizations contacted by CNN Business, including American Airlines, the Maryland health agency, the MTA and New York’s Department of Education, confirmed that their systems have been secured and that there is no indication their data was improperly accessed.

Microsoft told CNN that only a small number of its customers had configured their systems in a way that allowed data to be accessed by unauthorized viewers.

“We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs,” a Microsoft spokesperson said in a statement. The company has since altered the software’s security settings so that it is more restrictive by default for some users.

At least 47 organizations had been unknowingly exposing their information due to the misconfiguration, UpGuard said in a report published Monday summarizing its work. The company told CNN that there may well have been more organizations that it did not find out about. Because the issue had not been previously identified, it was not something most organizations knew to look for in their existing security audits, said Kelly Rethmeyer, a spokesperson for UpGuard.

“That’s what made so many organizations vulnerable to this potential problem,” Rethmeyer said, adding that “for the most part, our experience was people were very amenable to wanting to get on top of this quickly and correct it, and nobody was aware this was a potential security concern.”

Other organizations cited in UpGuard’s report include the freight giant J.B. Hunt, the state government of Indiana and Microsoft itself. J.B. Hunt didn’t immediately respond to a request for comment. A spokesperson for the state of Indiana declined to…

Read More: Data leak exposes tens of millions of private records from