Data leaks from websites built on Microsoft Power Pages, including 1.1 million NHS records

A security researcher has blamed misconfigured implementations of Microsoft Power Pages for a slew of data breaches from web portals - including the leak of 1.1 million NHS employee records.

It's the latest discovery by Dublin-based security researcher Aaron Costello, who previously discovered the health and personal details of over a million citizens had been accidentally exposed by Ireland's HSE Covid vaccination portal.

As Costello explains in a blog post, misconfigured access controls in Power Pages - a Microsoft software-as-a-service (SAAS) application used to help develop web portals - are exposing sensitive data to unauthorised anonymous users.

Amongst the several organisations impacted is the NHS, where a third-party contractor configured and deployed a web portal that leaked sensitive payroll records - such as names, email addresses, phone numbers, and home addresses.

"Typically, what we see with public entities is they have identified a need for some service, a crucial service, whether that's Covid appointments or payroll information for NHS employees, and they're in a rush to get this out and functional," Costello told BreakingNews.ie" Security then goes to the back of mind."

Although the NHS has understandably hit many of the headlines, Costello says that the flaw has exposed data from organisations worldwide, including government agencies, with other leaked data including internal files from organisations using the platform, as well as external users who have registered on the affected web portals.According to Costello, the problem has occurred because portal administrators have failed to properly understand how to configure the access controls of Power Pages, and left sensitive data exposed through APIs.

It seems churlish to blame Microsoft, the developer of Power Pages, entirely for the problem as in Costello's words it does "a great job of putting these warning banners and signs in your admin panel on Power Pages."

The problem instead appears to be one of website administrators not realising the consequences of their configuration choices - which have left sensitive information accessible to anybody on the internet.

The challenge with those developing apps like Power Pages is to create a product that is easy to use, whilst remaining tricky to use incorrectly or unsafely.

Costello says he has informed all of those organisations who he found leaking data through misconfigured web portals, and that they have now been fixed.