Wyden Calls for FTC Probe into Microsoft Over Ascension Hack
Senator Ron Wyden (D-Ore.) has sent a letter to Federal Trade Commission Chairman Andrew Ferguson, urging the agency to investigate Microsoft's role in enabling the 2024 Ascension cyberattack. The senator's concerns center around Microsoft's "dangerously insecure default settings" that allegedly allowed hackers to gain access to Ascension's network.
Ascension, which operates more than 140 hospitals across 19 U.S. states, suffered a ransomware attack in May 2024 that disrupted its network, including its EHR system. The incident resulted in a data breach that affected 5.6 million individuals, forcing hospitals to revert to paper records and use manual processes for dispensing medication, contacting patients, and ordering diagnostic tests.
The Ascension ransomware attack is the latest high-profile incident to highlight Microsoft's vulnerabilities when it comes to cybersecurity. Wyden argues that Microsoft has a "de facto monopoly over the operating systems used by most companies and government agencies," which puts its customers at risk.
Microsoft's Role in the Ascension Hack
In his letter to the FTC, Wyden alleged that Microsoft's default settings allowed hackers to gain access to Ascension's network. He pointed out that Microsoft Windows is "incredibly vulnerable to ransomware infections" due to its "dangerous software engineering decisions." Wyden claimed that these decisions have largely been hidden from corporate and government customers.
"In its default configuration, Microsoft Windows is incredibly vulnerable to ransomware infections," the letter stated. "Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection."
The Impact of RC4 Encryption
Wyden also argued that Microsoft's continued support of RC4, an outdated encryption technology from the 1980s, enabled hackers to use a technique called Kerberoasting to gain access to privileged accounts. Although this threat can be mitigated by setting passwords that are at least 14 characters long, Microsoft does not require this password length.
"Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software," Wyden said. "There is one company benefiting from this status quo: Microsoft itself." He suggested that the company has repeatedly failed to inform customers about key cybersecurity best practices.
A Culture of Negligent Cybersecurity
Wyden urged the FTC to look into Microsoft's practices and hold it accountable for a "culture of negligent cybersecurity." He argued that government agencies, companies, and nonprofits like Ascension have no choice but to continue using Microsoft's software due to its near-monopoly over enterprise IT.
"At this point, Microsoft has become like an arsonist selling firefighting services to their victims," Wyden said. "And yet they have the audacity to claim that they are doing everything they can to protect their customers." The senator's comments highlight the need for greater accountability from tech giants when it comes to cybersecurity.