The EU Parliament as well as the Delft University in Netherlands and the University of Wisconsin have been warned about security risks with the new Microsoft Outlook app for mobile by their IT departments, who have recommended that they uninstall the app and change the passwords.
Many in the EU Parliament, as well as in universities throughout the world, use Outlook, whether on the desktop or mobile. The security concerns exist only for the mobile app so far. This appears to be because it's not a Microsoft-built app; it was Accompli, which Microsoft acquired back in December. Microsoft then renamed the Acompli app to "Outlook for iOS and Android" but kept all of its functionality (including the intrusive privacy policies) intact.
Soon after Microsoft relaunched Acompli as Outlook for mobile, a developer from IBM found three major security issues with it.
Another security issue is that both the username and password would also be saved and accessed by Acompli, which is why the IT departments of the EU Parliament asked for a password change. Acompli and Microsoft now know the login credentials of the people who have been using the mobile Outlook app. The app also collects other sensitive information, such as contacts and calendar data.
The third security issue is that the Oulook app also allows users to bypass a company's or organization's default security policies, which include limiting access to certain types of files or prohibiting employees from sharing confidential data with others outside of the organization. Employees can bypass the default restrictions by using the mobile Outlook's built-in connectors to OneDrive, Dropbox, Google drive and other cloud services.
Microsoft hasn't reacted so far to the uncovering of these security issues, but now that the European Union Parliament can't safely use its Outlook app, and more universities are starting to block it as well, the company is likely to respond soon.