Dutch university discloses year-long data breach in Microsoft Power BI application
The Avans University of Applied Sciences has admitted that sensitive personal data was inadvertently exposed to unauthorized users for almost a year through a management application built on Microsoft Power BI.

Image by Cybernews
The Avans University of Applied Sciences has admitted that sensitive personal data was inadvertently exposed to unauthorized users for almost a year through a management application built on Microsoft Power BI.
- Avans University of Applied Sciences exposed sensitive personal data for nearly a year via a Microsoft Power BI-based application. The issue affected data in its AMIGO management system.
- A Microsoft environment change in 2025 unintentionally allowed unauthorized access to data linked to individuals. The breach went undetected until June 2026.
- The university reported the incident to Dutch data protection authorities and notified affected individuals. It says there is no confirmed evidence of data misuse.
- The case raises concerns about oversight, monitoring, and responsibility for securing data in Microsoft Power BI systems. Investigators are reviewing why detection took so long.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The data breach occurred in an application called AMIGO, which manages datasets containing management information, such as student enrollment and dropout rates. The application was built using Microsoft Power BI.
On June 30th, 2025, a change was implemented in the Microsoft environment that inadvertently enabled the retrieval of data traceable to individual persons.
Earlier this month, on June 8th, 2026, an employee of the Avans University of Applied Sciences discovered that information was accessible to unauthorized users. Avans immediately resolved the issue and filed a report with the Dutch data protection authority.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The Dutch university won’t say which information was exposed, but admits it was considered sensitive.
“To protect the privacy of those affected, we’re not sharing that information. All those involved were personally notified on June 30th, 2026. It was explained exactly what type of personal data is involved,” Avans says on a page dedicated to the data breach.
The school has launched an investigation into the incident. One of the questions that security researchers will try to answer is why it took almost a year to discover the breach. They’re also looking into ways to improve the university’s control and monitoring tools to prevent recurrence.
At this time, Avans argues that there’s no evidence that any personal data has been misused. However, it can’t be ruled out completely either.
“What we do know is that there was no cyberattack and that the data was not made publicly available,” the educational institution concludes.
Avans states that Microsoft may be the owner of Power BI, but Avans is responsible for managing and securing the data.
“We take that responsibility seriously, and you can hold us to it,” Avans reassures.
Unlock more exclusive Cybernews content on YouTube.