Wyden Calls for FTC Investigation of Microsoft for Enabling Ascension Hospital Ransomware Hack with Insecure Software
Wyden Reveals New Details about Ransomware Hack of Major Healthcare Provider; Urges Consequences for Insecure Microsoft Cybersecurity
Washington, D.C. – U.S. Senator Ron Wyden, D-Ore., urged the Federal Trade Commission to launch an investigation of Microsoft for contributing to ransomware attacks against critical U.S. infrastructure, including the hack of millions of patient records from Ascension, the major hospital system, in 2024.
“I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the U.S. government and to critical infrastructure entities, such as those in the U.S. health care sector,” Wyden wrote in a letter to FTC Chairman Andrew Ferguson. “Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable.”
According to new information Wyden’s office obtained from Ascension, the hack began when a contractor clicked on a malicious link after conducting a web search on Microsoft’s Bing search engine. The link led to the contractor’s laptop being inadvertently infected with malware; dangerously insecure default settings on Microsoft software allowed the hackers to ultimately gain highly privileged access to the most sensitive parts of Ascension’s network.
The hackers employed a technique known as “Kerberoasting,” which exploits an insecure encryption technology from the 1980s known as “RC4” that is still supported by Microsoft software in its default configuration. Wyden staff urged Microsoft officials to warn customers about the Kerberoasting attack threat on July 29, 2024. Microsoft did publish a blog post about ways to protect against Kerberoasting attacks, on October 11, 2024, which indicated that the company planned to issue a software update to remove support for the vulnerable RC4 encryption technology. Today, 11 months after Microsoft published that blog post, the company has still not released the promised update, nor conducted direct outreach to warn customers.
Wyden has repeatedly called on federal agencies to hold Microsoft responsible for its years-long pattern of selling dangerously insecure software to the government. In July 2023, Wyden called for Microsoft to be held accountable for cybersecurity lapses that enabled a major Chinese hack of government agencies. In a subsequent review of that incident, requested by Wyden, the Cyber Safety Review Board concluded that “Microsoft’s security culture was inadequate and requires an overhaul.” Ultimately, Microsoft’s abysmal cybersecurity track record has had no impact on its lucrative federal contracts thanks to its dominant market position and inaction by government agencies in the face of the company’s string of security failures.
Read the full letter to the FTC here.
###
Next Article Previous Article
