The heads of the Justice Department, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Trade Commission (FTC) have been urged to hold Microsoft accountable for what US Sen. Ron Wyden (D-Ore.) calls “negligent security practices.” This request comes in response to a recent breach in Microsoft 365 where Chinese government hackers gained access to the email accounts of 25 organizations.
According to Microsoft, the compromise occurred due to three vulnerabilities in its Exchange Online email service and Azure Active Directory. The company stated in a blog post that a “China-based threat actor with espionage objective” used forged authentication tokens to access the emails starting from May 15. Microsoft took immediate action to block the malicious campaigns upon being notified by a customer and also directly informed the affected customers. However, another security firm has expressed concerns that other Azure AD applications could also be at risk.
Senator Wyden is now accusing Microsoft of withholding crucial information about the hack. He points out that the company has been careful not to admit that its infrastructure was breached by threat actors. In his four-page letter, Wyden highlights that this espionage operation is not the first attempt by a foreign government to hack US government emails, referring to the SolarWinds hacking campaign that occurred in 2020.
In his letter, Senator Wyden recalls Microsoft’s response to the SolarWinds hack and suggests that the company never took responsibility for its role in the incident. He brings up Microsoft’s blame on federal agencies for not prioritizing defense against the encryption key theft technique used by Russia, despite the company’s knowledge of it since 2017. Microsoft also shifted blame onto its customers for using default logging settings and not storing encryption keys in a hardware vault. Wyden argues that holding Microsoft accountable for its negligence will require a collective effort from the government.
The senator lists specific actions that he believes the heads of the Justice Department, CISA, and the FTC should take to hold Microsoft responsible for the recent breach. However, it remains uncertain whether the individuals mentioned in the letter, including CISA Director Jen Easterly, Attorney General Merrick Garland, and FTC Chair Lina Khan, will act upon his requests.
This incident raises concerns about the cybersecurity practices of major technology companies and the potential vulnerabilities that can be exploited by state-sponsored hackers. It also underscores the need for both government agencies and companies like Microsoft to take proactive measures to protect sensitive data and defend against cyber threats.
As the investigation into the Microsoft 365 breach continues, it serves as a reminder that cybersecurity threats are constantly evolving, and organizations must remain vigilant to safeguard their networks and sensitive information.