A Microsoft Power BI data breach at the Avans University of Applied Sciences exposed sensitive personal information to unauthorized users for nearly a year before staff discovered the issue. The university has since fixed the vulnerability, notified affected individuals, and reported the incident to Dutch data protection authorities.
Misconfiguration Exposed Personal Data for Nearly a Year
The incident involved AMIGO, an internal management application built on Microsoft Power BI that stores management information, including student enrollment figures and dropout statistics.
According to Avans, a change introduced to its Microsoft environment on June 30, 2025, unintentionally allowed unauthorized users to retrieve data that could be linked to individual people.
The exposure remained undetected until June 8, 2026, when a university employee identified the problem. After confirming the issue, Avans immediately secured the application and reported the breach to the relevant Dutch privacy regulator.
University Declines to Reveal Exposed Information
Although the university has confirmed that the exposed information was sensitive, it has chosen not to disclose exactly what data the breach involved.
Avans said it withheld those details to protect the privacy of affected individuals. Instead, the university contacted everyone impacted by the incident on June 30, 2026, explaining privately what personal information had been exposed.
Investigation Focuses on Delayed Detection
The university has launched an internal investigation to determine how the exposure remained unnoticed for almost a year.
Investigators will examine why existing monitoring processes failed to detect unauthorized access sooner and identify improvements that could strengthen oversight of the university’s data management systems.
The review will also evaluate additional security controls that could help prevent similar incidents in the future.
No Evidence of Data Misuse So Far
At this stage, Avans says it has found no evidence that anyone misused the exposed personal information.
However, the university also acknowledges that it cannot completely rule out the possibility.
Officials emphasized that the incident did not involve a cyberattack and that the data never became publicly accessible.
Avans Accepts Responsibility for Data Security
Although Microsoft develops and maintains Power BI, Avans says responsibility for protecting the data stored within the platform remains with the university.
The institution acknowledged its accountability for securing personal information and said it takes that responsibility seriously while continuing its investigation into the incident.
Conclusion
The Microsoft Power BI data breach at Avans University highlights how configuration changes inside cloud platforms can unintentionally expose sensitive information for extended periods without detection. Even though investigators have found no signs of data misuse, the incident underscores the importance of continuous monitoring, regular security reviews, and prompt auditing of access controls to identify misconfigurations before they become long-term privacy risks.


0 responses to “Avans University Reports Year-Long Microsoft Power BI Data Breach”