Breach Alerts

Avans Power BI Data Exposure Alert For TPRM Analysts

Laptop screen displaying software code in a workspace

Avans University of Applied Sciences disclosed that sensitive personal data was inadvertently accessible to unauthorized users for almost a year through an AMIGO management application built on Microsoft Power BI.

Cybernews reported on July 2, 2026 that a Microsoft environment change in 2025 unintentionally allowed data linked to individuals to be retrieved by people who should not have had access. Avans said the issue was discovered on June 8, 2026, resolved, reported to the Dutch data protection authority, and disclosed to affected people.

This is a useful TPRM case because it shows how cloud analytics and reporting platforms can create exposure through access configuration, even when there is no confirmed cyberattack.

What happened

A reporting application exposed sensitive data

The affected application was called AMIGO and contained management information such as student enrollment and dropout related data. Avans did not publicly list the exact data fields, but said affected people were told what type of personal data was involved.

The exposure lasted almost a year

Reporting says the condition began after a Microsoft environment change on June 30, 2025 and was discovered on June 8, 2026. Long detection gaps are often the most important lesson for analysts.

No confirmed misuse has been reported

Avans said there is no evidence of misuse, while also saying misuse cannot be fully ruled out. That is a common uncertainty in access exposure cases.

The third party angle

Cloud tools are shared responsibility environments

Avans reportedly stated that Microsoft owns Power BI, but Avans is responsible for managing and securing its data. That shared responsibility point is central for vendor and cloud reviews.

Configuration changes can affect access

A vendor platform change, tenant setting, permission model, or integration update can alter who can retrieve data. TPRM teams should ask how vendors detect those changes.

Business reporting can contain sensitive data

Analytics tools often contain extracts, identifiers, notes, and operational metrics that can be traced back to people. These tools should not be treated as low risk just because they are used for reporting.

What analysts should review

Access control ownership

Ask who owns access rules in reporting platforms, who approves exceptions, and how often access is recertified. Ownership gaps are a common cause of long exposure windows.

Data minimization in reports

Reports should avoid personal identifiers unless the business need is clear. If a dashboard can work with aggregated data, that should be preferred.

Monitoring for unusual data retrieval

Vendors and internal teams should be able to detect when report data is accessed by unexpected users, downloaded at unusual volume, or queried outside normal patterns.

Protection steps for TPRM teams

Review reporting platforms as data stores

Do not limit vendor review to source systems. Dashboards, extracts, and management applications may hold sensitive copied data that needs access control and retention rules.

Ask about configuration change testing

When a cloud provider changes settings or features, the vendor should test whether access assumptions still hold. That testing should be documented.

Set clear breach notice triggers

Unauthorized access without confirmed misuse can still be a reportable privacy event. Contracts and procedures should reflect that reality.

Practical checklist

  1. Identify vendors and internal platforms that use cloud reporting tools for personal data
  2. Confirm who owns access rules and who reviews them
  3. Reduce personal identifiers in dashboards and extracts where possible
  4. Ask how configuration changes are tested for access impact
  5. Review logs for unusual report access and downloads
  6. Set notice triggers for unauthorized access even without proven misuse
  7. Update risk records for vendors with long detection gaps

Analyst takeaway

The Avans Power BI exposure shows that reporting platforms can become sensitive data environments. TPRM analysts should review access ownership, configuration change testing, monitoring, and data minimization before a quiet exposure lasts months.

FAQ

What did Avans disclose

Avans disclosed that sensitive personal data was accessible to unauthorized users for almost a year through an AMIGO application built on Microsoft Power BI.

Was this described as a cyberattack

Avans reportedly said there was no cyberattack and that the data was not made publicly available.

Why does this matter for TPRM analysts

It shows that cloud reporting tools need access controls, monitoring, configuration testing, and data minimization like other sensitive systems.

Sources

Leave a Reply

Discover more from LearnTPRM

Subscribe now to keep reading and get access to the full archive.

Continue reading