In a letter to FTC Chairman Andrew Ferguson, U.S. Senator Ron Wyden urged the FTC to launch an investigation of Microsoft and “hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the U.S. government and to critical infrastructure entities, such as those in the U.S. health care sector.” This includes the hack of millions of patient records from Ascension, the major hospital system, in 2024
You can read the letter here: https://www.wyden.senate.gov/news/press-releases/wyden-calls-for-ftc-investigation-of-microsoft-for-enabling-ascension-hospital-ransomware-hack-with-insecure-software
Ensar Seker, CISO at cybersecurity threat intelligence company SOCRadar, commented:
“The letter underscores a long-standing tension in enterprise cybersecurity, the balance between legacy system support and secure-by-default design. What happened at Ascension isn’t just about one bad click or an old cipher. It’s about systemic risk inherited from default configurations and the architectural complexity of widely adopted software ecosystems like Microsoft’s. When a single vendor becomes foundational to national infrastructure, their security design decisions, or lack thereof, can have cascading consequences.
“From a technical standpoint, allowing deprecated encryption like RC4 to remain enabled by default, even at 0.1% usage, introduces avoidable exposure. The challenge is that many organizations still rely on legacy applications that can break when more secure defaults are enforced. Vendors are often reluctant to force those changes out of fear of business disruption, but in security, inertia can be dangerous.
“This incident also reinforces the importance of zero trust segmentation and endpoint detection. A single compromised contractor laptop should never have been able to reach Active Directory in the first place. That speaks to deeper gaps in lateral movement defenses, privilege boundaries, and user behavior monitoring, not just a software flaw.
“Ultimately, this isn’t about blaming one company. It’s about recognizing that national security is now tightly coupled with the configuration defaults of dominant IT platforms. Enterprises and public sector agencies alike need to demand more secure-by-design defaults and be ready to adapt when they’re offered.”
The EU has proven via strict enforcement and high fines that if you give organizations a reason to care about cybersecurity, they will care because it will get expensive if they don’t. It’s time that this sort of thing comes to North America.
Related
This entry was posted on September 11, 2025 at 8:46 pm and is filed under Commentary with tags Hacked, Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
US Senator Calls for FTC Investigation of Microsoft for Ascension Hospital Ransomware Hack
In a letter to FTC Chairman Andrew Ferguson, U.S. Senator Ron Wyden urged the FTC to launch an investigation of Microsoft and “hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the U.S. government and to critical infrastructure entities, such as those in the U.S. health care sector.” This includes the hack of millions of patient records from Ascension, the major hospital system, in 2024
You can read the letter here: https://www.wyden.senate.gov/news/press-releases/wyden-calls-for-ftc-investigation-of-microsoft-for-enabling-ascension-hospital-ransomware-hack-with-insecure-software
Ensar Seker, CISO at cybersecurity threat intelligence company SOCRadar, commented:
“The letter underscores a long-standing tension in enterprise cybersecurity, the balance between legacy system support and secure-by-default design. What happened at Ascension isn’t just about one bad click or an old cipher. It’s about systemic risk inherited from default configurations and the architectural complexity of widely adopted software ecosystems like Microsoft’s. When a single vendor becomes foundational to national infrastructure, their security design decisions, or lack thereof, can have cascading consequences.
“From a technical standpoint, allowing deprecated encryption like RC4 to remain enabled by default, even at 0.1% usage, introduces avoidable exposure. The challenge is that many organizations still rely on legacy applications that can break when more secure defaults are enforced. Vendors are often reluctant to force those changes out of fear of business disruption, but in security, inertia can be dangerous.
“This incident also reinforces the importance of zero trust segmentation and endpoint detection. A single compromised contractor laptop should never have been able to reach Active Directory in the first place. That speaks to deeper gaps in lateral movement defenses, privilege boundaries, and user behavior monitoring, not just a software flaw.
“Ultimately, this isn’t about blaming one company. It’s about recognizing that national security is now tightly coupled with the configuration defaults of dominant IT platforms. Enterprises and public sector agencies alike need to demand more secure-by-design defaults and be ready to adapt when they’re offered.”
The EU has proven via strict enforcement and high fines that if you give organizations a reason to care about cybersecurity, they will care because it will get expensive if they don’t. It’s time that this sort of thing comes to North America.
Share this:
Like this:
Related
This entry was posted on September 11, 2025 at 8:46 pm and is filed under Commentary with tags Hacked, Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.