U.S. Democratic Senator Ron Wyden has urged the Federal Trade Commission (FTC) to take action against Microsoft over a series of serious cybersecurity failures, arguing that the company’s weak security practices put the nation at risk.
In a letter dated September 10 to FTC Chairman Andrew Ferguson, Wyden accused Microsoft of “gross cybersecurity negligence” and warned that the company’s practices “continue to threaten U.S. national security.”
Wyden pointed to ransomware incidents affecting critical infrastructure, including hospitals, and said default settings in Microsoft’s software have made organizations more vulnerable.
“At this point, Microsoft has become like an arsonist selling firefighting services to their victims,” Wyden wrote, noting that government bodies and businesses have “no choice” but to depend on Microsoft’s products due to its “near-monopoly over enterprise IT.”
An FTC spokesperson confirmed the agency had received Wyden’s letter but declined to provide additional remarks.
Related story: Whistleblowers Accuse Meta of Prioritizing VR Profits Over Child Safety in U.S. Senate Hearing
The Ascension Attack as a Case Study
The senator highlighted the May 2024 cyberattack against Ascension, one of the country’s largest hospital operators, as a striking example. That breach exposed the medical and insurance information of nearly 5.6 million individuals.
According to Wyden, Ascension informed his staff that a contractor using one of its laptops clicked on a malicious link served through Microsoft’s Bing search engine.
This allowed attackers to infiltrate Ascension’s systems and eventually compromise its Microsoft Active Directory server, which manages employee accounts.
Wyden asserted that Microsoft’s reliance on outdated encryption standards and risky default settings opened the door for such attacks. He also criticized the company for failing to adequately inform customers about steps they could take to strengthen defenses.
Microsoft responded on Wednesday, defending its approach while acknowledging that some older technology remains in use.
A company spokesperson explained that RC4, the encryption method Wyden mentioned, is “less than .1% of our traffic,” and that Microsoft actively discourages clients from using it.
“However, disabling its use completely would break many customer systems,” the spokesperson said. The company added that it is phasing out the technology by gradually restricting its use, offering guidance on safer practices in the meantime.
Microsoft plans to turn off RC4 by default in certain Windows products starting in early 2026, and will implement “additional mitigations” for systems that still rely on it.
This is not Wyden’s first call for scrutiny of Microsoft. In 2023, he also pushed for an investigation after hackers with ties to China gained access to thousands of emails belonging to U.S. officials.
Read next: Apple Keeps Prices Steady on New iPhones Despite Trump Tariff Pressures
Want to boost your career and stay competitive in today’s job market?
Check out our handpicked certification prep resources designed to sharpen your expertise, make the most of your study time, and give you an edge:
- CompTIA Exam Prep – Gain solid skills in IT support, networking, and cybersecurity.
- HR Certification Resources – Deepen your understanding of compliance, workforce planning, and talent management.
- PMP Study Materials – Strengthen your project management abilities in budgeting, scheduling, and team leadership.
- Praxis Test Prep – Get ready for your teaching certification with detailed guides, practice tests, and state-focused study tools.