Avans University of Applied Sciences disclosed that sensitive personal data was inadvertently accessible to unauthorized users for almost a year through an AMIGO management application built on Microsoft Power BI.
Cybernews reported on July 2, 2026 that a Microsoft environment change in 2025 unintentionally allowed data linked to individuals to be retrieved by people who should not have had access. Avans said the issue was discovered on June 8, 2026, resolved, reported to the Dutch data protection authority, and disclosed to affected people.
This is a useful TPRM case because it shows how cloud analytics and reporting platforms can create exposure through access configuration, even when there is no confirmed cyberattack.
What happened
A reporting application exposed sensitive data
The affected application was called AMIGO and contained management information such as student enrollment and dropout related data. Avans did not publicly list the exact data fields, but said affected people were told what type of personal data was involved.
The exposure lasted almost a year
Reporting says the condition began after a Microsoft environment change on June 30, 2025 and was discovered on June 8, 2026. Long detection gaps are often the most important lesson for analysts.
No confirmed misuse has been reported
Avans said there is no evidence of misuse, while also saying misuse cannot be fully ruled out. That is a common uncertainty in access exposure cases.
The third party angle
Cloud tools are shared responsibility environments
Avans reportedly stated that Microsoft owns Power BI, but Avans is responsible for managing and securing its data. That shared responsibility point is central for vendor and cloud reviews.
Configuration changes can affect access
A vendor platform change, tenant setting, permission model, or integration update can alter who can retrieve data. TPRM teams should ask how vendors detect those changes.
Business reporting can contain sensitive data
Analytics tools often contain extracts, identifiers, notes, and operational metrics that can be traced back to people. These tools should not be treated as low risk just because they are used for reporting.
What analysts should review
Access control ownership
Ask who owns access rules in reporting platforms, who approves exceptions, and how often access is recertified. Ownership gaps are a common cause of long exposure windows.
Data minimization in reports
Reports should avoid personal identifiers unless the business need is clear. If a dashboard can work with aggregated data, that should be preferred.
Monitoring for unusual data retrieval
Vendors and internal teams should be able to detect when report data is accessed by unexpected users, downloaded at unusual volume, or queried outside normal patterns.
Protection steps for TPRM teams
Review reporting platforms as data stores
Do not limit vendor review to source systems. Dashboards, extracts, and management applications may hold sensitive copied data that needs access control and retention rules.
Ask about configuration change testing
When a cloud provider changes settings or features, the vendor should test whether access assumptions still hold. That testing should be documented.
Set clear breach notice triggers
Unauthorized access without confirmed misuse can still be a reportable privacy event. Contracts and procedures should reflect that reality.
Practical checklist
- Identify vendors and internal platforms that use cloud reporting tools for personal data
- Confirm who owns access rules and who reviews them
- Reduce personal identifiers in dashboards and extracts where possible
- Ask how configuration changes are tested for access impact
- Review logs for unusual report access and downloads
- Set notice triggers for unauthorized access even without proven misuse
- Update risk records for vendors with long detection gaps
Analyst takeaway
The Avans Power BI exposure shows that reporting platforms can become sensitive data environments. TPRM analysts should review access ownership, configuration change testing, monitoring, and data minimization before a quiet exposure lasts months.
FAQ
What did Avans disclose
Avans disclosed that sensitive personal data was accessible to unauthorized users for almost a year through an AMIGO application built on Microsoft Power BI.
Was this described as a cyberattack
Avans reportedly said there was no cyberattack and that the data was not made publicly available.
Why does this matter for TPRM analysts
It shows that cloud reporting tools need access controls, monitoring, configuration testing, and data minimization like other sensitive systems.