Senator Ron Wyden has formally requested the Federal Trade Commission (FTC) to investigate Microsoft, citing "gross cybersecurity negligence." This call comes in the wake of significant ransomware attacks on critical U.S. infrastructure, including the healthcare sector, with the senator arguing that Microsoft's default software configurations and continued support for outdated encryption methods have made organizations vulnerable.

Key Takeaways

• Senator Ron Wyden has urged the FTC to investigate Microsoft for "gross cybersecurity negligence.

• The call is prompted by ransomware attacks on critical infrastructure, notably the Ascension hospital system.

• Wyden alleges that Microsoft's default settings and support for outdated encryption (RC4) facilitate attacks like Kerberoasting.

• Microsoft acknowledges RC4 is old but states disabling it would break customer systems, with plans to deprecate it by 2026.

• Critics argue Microsoft profits from selling security add-ons after vulnerabilities are exploited.

Ascension Hospital Breach Highlights Concerns

Wyden's office obtained information from the healthcare system Ascension, which suffered a major ransomware attack in 2024. This incident led to the theft of personal and medical information for nearly 5.6 million individuals and disrupted access to electronic health records. The attack was attributed to the Black Basta ransomware group.

According to Wyden's office, the breach originated when a contractor clicked a malicious link found via Microsoft's Bing search engine. Attackers then exploited "dangerously insecure default settings" in Microsoft software, specifically leveraging a technique known as Kerberoasting. This method targets the Kerberos authentication protocol by exploiting the RC4 encryption algorithm, which is still supported by Microsoft software by default.

Outdated Encryption and Default Settings Under Scrutiny

Wyden's letter to FTC Chairman Andrew Ferguson criticizes Microsoft for its continued support of RC4, an encryption technology developed in the 1980s that has known cryptographic weaknesses. He argues that this "needlessly exposes" customers to threats by allowing attackers to crack privileged account passwords. While Microsoft has stated it discourages the use of RC4 and plans to disable it by default in future updates, Wyden contends the company has been slow to act and has not adequately warned customers.

Wyden also drew parallels to previous security failures, including a report by the U.S. Cyber Safety Review Board that lambasted Microsoft for avoidable errors contributing to a breach by Chinese threat actors. He suggested that Microsoft's dominant market position has allowed it to avoid significant consequences for its security shortcomings, likening the company to an "arsonist selling firefighting services to their victims."

Microsoft's Response

Microsoft has acknowledged that RC4 is an older encryption standard and accounts for a small fraction of its network traffic. However, the company stated that completely disabling it would disrupt many customer systems. Microsoft plans to disable RC4 by default in certain Windows products starting in early 2026 and will implement additional mitigations for existing deployments. The company also noted it discourages customers from using RC4 and provides guidance on safer usage.

Call for FTC Action

Wyden's request for an FTC investigation underscores a broader debate about software vendor accountability and the balance between supporting legacy systems and implementing secure-by-default designs. The senator argues that Microsoft's market dominance leaves organizations with little choice but to rely on its default configurations, thereby amplifying systemic risk and posing a threat to national security.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence, The Hacker News.

• Senator Urges FTC Probe of Microsoft Over Security Failures, SecurityWeek.

• FTC Urged To Investigate Microsoft On Outdated RC4 Encryption And Kerberoasting Flaws, The Cyber Express.

• US Senator urges probing Microsoft over cybersecurity negligence, ransomware risks, India Today.

• U.S. Senator Ron Wyden Urges FTC to Probe Microsoft Over Massive Ascension Hospital Hack, WinBuzzer.