US Senator Ron Wyden of Oregon has called on the Federal Trade Commission to investigate Microsoft for cybersecurity lapses linked to ransomware attacks on critical US infrastructure. This includes the 2024 hack of Ascension, one of the nation’s largest hospital systems.
According to Wyden’s office, the breach began when a contractor clicked a malicious link in a Bing search result, which infected their laptop with malware.
Default settings in Microsoft software then allowed attackers to gain administrative access to the Ascension network, exposing the sensitive data of 5.6 million patients.
The hackers exploited a technique known as “Kerberoasting,” which leverages Microsoft’s continued support for the outdated RC4 encryption standard. A more secure encryption option exists but is not enabled by default.
Wyden staff reportedly warned Microsoft of the vulnerability in July 2024. Microsoft published a blog post about the threat in October 2024 and said it planned to issue a software update. Nearly a year later, no update has been released and the company has not conducted direct outreach to warn customers.
Microsoft’s dominant position in enterprise operating systems gives the company control over default security configurations.
Wyden criticized the company’s handling of cybersecurity.
“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” he wrote in his FTC letter on Wednesday.
Calls for Accountability
Wyden has reportedly pressed federal agencies several times to hold Microsoft responsible for cybersecurity lapses.
Past reviews, including one by the Cyber Safety Review Board, concluded that Microsoft’s security culture “was inadequate and requires an overhaul.”
Despite repeated breaches, Wyden said the company continues to secure lucrative federal contracts.
“What happened at Ascension isn’t just about one bad click or an old cipher,” said Ensar Seker, CISO at cybersecurity threat intelligence company SOCRadar.
“It’s about systemic risk inherited from default configurations and the architectural complexity of widely adopted software ecosystems like Microsoft’s.”
The Human Cost of Insecure Software
Ransomware incidents in the US increased sharply in 2024 with over 5000 attacks reported, representing a 15% rise from 2023. Half of these targeted US organizations, including hospitals, government agencies and private companies.
The Ascension case highlights the potential human cost of insecure default software, disrupting patient care and putting sensitive data at risk.
Wyden’s letter urges the FTC to act, citing the need to hold Microsoft accountable for systemic cybersecurity failures that could pose a threat to national security.
Image credit: Ahyan Stock Studios / Shutterstock.com
