On Thursday, Senator Ron Wyden, D-Ore., who is the chairman of the influential Senate Finance Committee, called on the Justice Department and two civil regulators to start their own separate investigations into Microsoft's "careless cybersecurity procedures". This follows the news that Chinese hackers had obtained emails belonging to key China representatives, including Commerce Secretary Gina Raimondo and Secretary of State Antony Blinken, from May to June before a notable Sino-U.S. meeting.
Sen. Ron Wyden, D-Oregon, the chair of the Senate Finance Committee, on Thursday called on the Justice Department and two civil regulators to launch separate probes into Microsoft's "negligent cybersecurity practices" that enabled a spear-phishing attack targeting high-level members of President Joe Biden's cabinet. The hackers accessed the Microsoft-powered email accounts of top China envoys, Commerce Secretary Gina Raimondo, and Secretary of State Antony Blinken, just ahead of a crucial Sino-U.S. meeting.
In his letter to Attorney General Merrick Garland, Federal Trade Commission chair Lina Khan, and Cybersecurity and Infrastructure Security Agency director Jen Easterly, Wyden said that "government emails were stolen because Microsoft committed another error." The breach, which occurred between May and June, resulted from "a validation error in Microsoft code" which allowed the hackers to create fake tokens and gain access to Microsoft-hosted accounts belonging to governmental agencies and other organizations.
Wyden wrote that the Justice Department should look into whether Microsoft has violated federal law due to its negligence. Furthermore, he asked CISA to determine if Microsoft breached the best practices surrounding the security of the encryption key, and the FTC to investigate if the tech giant violated federal privacy statutes. The senator highlighted the potential for anti-competitive behavior taking place due to Microsoft's dominance in the cloud computing market, an allegation that was brought up by rivals and cybersecurity operators, including Google.
Wyden noted that the Department of State was only able to detect the hack thanks to more granulated reporting and logging, and Microsoft has decided to stop charging for the advanced logging and offer it free of cost. He also mentioned that Russian hackers exploited a similar technique in the SolarWinds attack of 2020.
A Microsoft spokesperson commented that "this incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks," before adding that the company would continue sharing information at their Microsoft Threat Intelligence blog. A spokesperson for the FTC confirmed the letter was received, but declined to comment further. CISA did not respond to a request for comment.
top of page
bottom of page
Kommentare