Greetings,
A colleague at another university has discovered a technique to extract sensitive information out of dashboards (public and private) created with Power BI. Specifically, when a Power BI dashboard is published, its API exposes all source data including table schema and row-level data, rather than just the data used in report visualizations. This issue has been reported to Microsoft, and the Power BI team reported back that this is intended behavior.
If you have published one or more Power BI reports in an on-prem environment (not O365), and you were not contacted directly by our office, we ask for your assistance. To help us measure the scope of and mitigate this vulnerability, please take the following actions, by COB Friday, October 16:
- Inventory all of your published Power BI dashboards (public and private)
- Identify the highest level of IU data classification in source data tables for each Power BI report[1]
- Send an email to 4542935@ir.iu.eduwith the results of the above two items
To mitigate this vulnerability, do not use data in a table as a data source where the data has an IU data classification of Critical, Restricted, or University Internal. Instead, create a separate table with aggregated counts that will be used by the dashboard. Only import the aggregate table as a data source into Power BI.
If you have questions or need more information on this topic, please let us know. Thank you.
[1] https://datamanagement.iu.edu/tools/matrix.php
–IT Community Partnerships on behalf of the University Information Security Office