How Microsoft Power BI Reports Expose Sensitive Data on the Web
Many organizations publish Power BI reports assuming only the visible data is shared. Our research shows the underlying data model can expose far more, including sensitive records that were never meant to be public.
Every Power BI report is powered by a semantic model, the complete underlying dataset, far beyond what any visualization displays. When that report is shared, so is everything beneath it: hidden tables, excluded columns, filtered records. All of it queryable. Most of it unprotected.
The result is data exposure affecting tens of thousands of organizations worldwide. Employee records, customer data, PHI, and PII – all accessible through reports that looked perfectly safe.
This report explains how it happens, and what you can do to keep your organizationβs data secure.
What You Will Learn
How the exploit works
Understanding how Power BI processes shared reports can reveal unexpected access paths that most security teams never think to check.
What data is at risk
The type of data sitting inside a semantic model and who can reach it β may surprise you.
How to find your exposure
Public reports are easier to discover than most organizations realize. Knowing how they are found is the first step to knowing if yours is among them.
Why βhiddenβ is not secure
Assuming that hidden tables and columns stay hidden when a report is shared can leave sensitive data fully exposed without any indication something is wrong.
Step-by-step remediation
Concrete guidance on restructuring your semantic models, using Power Query filters, and auditing reports shared inside and outside your org.
Get your copy now
Learn about your threats
