Power BI Vulnerability Exposes Sensitive Data
Researchers uncover major security flaw in Microsoft's business intelligence tool
Cybersecurity experts have recently discovered a concerning security flaw in Power BI, Microsoft's popular business intelligence tool. The vulnerability, which has been reported to affect "tens of thousands" of organizations worldwide, could allow malicious actors to access sensitive data including employee, customer, business, and government information, as well as protected health and personally identifiable information.
How does the Power BI flaw work?
The issue arises from the way Power BI reports are structured. Each report is built on a semantic model containing the data used for visualization. However, when a report is shared, other users can access not only the visible data but also the underlying raw data represented by the semantic model. This includes data that is explicitly marked as "hidden" within the model, as well as detailed records that are filtered out in the display.
Researchers have expressed concern over the ease of exploiting this flaw, noting that sensitive data can be extracted online and anonymously. Publicly accessible reports can even be found through search engines, allowing anyone to extract sensitive data from them without much difficulty.
Microsoft's response to the Power BI vulnerability
After being alerted to the issue, Microsoft responded by stating that the behavior was a design choice rather than a vulnerability. The company emphasized that it is the responsibility of organizations creating and sharing the reports to ensure no sensitive information is disclosed.
Contrary to Microsoft's stance, researchers at Nokod believe this is indeed a significant security concern. They have provided guidance on how to better protect data while creating Power BI reports, as well as a free risk assessment tool to help organizations mitigate potential risks.
As the digital landscape continues to evolve, the discovery of such vulnerabilities highlights the ongoing need for robust cybersecurity measures to protect sensitive data from unauthorized access.
