U.S. Senator Ron Wyden called on the Federal Trade Commission (FTC) Wednesday to launch an investigation into Microsoft, urging regulators to hold the company accountable for what he described as repeated and severe cybersecurity failures. In his view, Microsoft’s lax security practices pose an ongoing threat to national security.
In a September 10 letter to FTC Chairman Andrew Ferguson, the Democratic lawmaker accused Microsoft of “gross cybersecurity negligence” that has enabled ransomware groups to target critical infrastructure—including attacks on U.S. hospitals—due in part to insecure default settings in the Windows operating system.
“Microsoft has become like an arsonist selling fire insurance,” Wyden wrote, arguing that government agencies and private companies alike are effectively locked into using Microsoft products because of the company’s dominance in enterprise IT.
As an example, Wyden highlighted the May 2024 ransomware attack on Ascension, one of the nation’s largest hospital systems. The incident exposed the personal medical and insurance records of nearly 5.6 million patients. According to Ascension, a contractor using a company-issued laptop clicked on a malicious link delivered through Microsoft’s Bing search engine. That action reportedly gave hackers access to Ascension’s network and, eventually, its Microsoft Active Directory server—a key tool for managing user accounts.
Wyden blamed the breach partly on Microsoft’s continued support for outdated encryption protocols and risky default settings. He also faulted the company for not providing organizations with adequate guidance on how to defend against such vulnerabilities.
The FTC confirmed it had received Wyden’s letter but offered no further comment.
Microsoft responded by defending its position, stating that RC4—the legacy encryption algorithm mentioned in Wyden’s letter—accounts for less than 0.1% of its traffic and that the company discourages customers from using it. However, a spokesperson explained that disabling RC4 outright would disrupt many existing systems. Instead, Microsoft is gradually phasing it out, adding safeguards, and planning to disable RC4 by default in some Windows products starting in early 2026.
Organizations need to reassess their security posture, conduct vulnerability scans, and carry out threat-hunting activities to identify and remove outdated encryption methods from their systems.
Great breakdown! For those diving deeper into AI tools, check out AI Service for a well-organized directory of solutions to boost productivity and streamline workflows.