1.1 Million UK NHS Employee Records Exposed From Microsoft Power Pages Misconfiguration

Security researchers from AppOmni have uncovered millions of business records that are accessible to anyone through low-code website builder Microsoft Power Pages.

Over a million NHS employee records — including email addresses, phone numbers, and home addresses — were exposed online due to a misconfiguration of the low-code website builder Microsoft Power Pages.

In September, researchers with the software-as-a-service security platform AppOmni identified a large shared business service provider for the NHS that was allowing unauthorised access to sensitive data through insecure permission settings on Power Pages.

Specifically, the permissions on some tables and columns in Power Pages Web API were too broad, inadvertently granting access to “Anonymous” users or those who aren’t logged in. The misconfiguration has since been disclosed to the NHS and resolved.

However, AppOmni’s authorised testing also uncovered several million other records belonging to organisations and government entities which were exposed because of the same misconfigurations ...