Jul 28, 2023 - Technology

Senator calls for probe in Microsoft breach

Illustration of a gavel striking a square block with the Microsoft logo.

Illustration: Annelise Capossela/Axios

A top cybersecurity-focused senator is calling for the U.S. government to "hold Microsoft responsible for its negligent cybersecurity practices" after a recent cloud breach.

Driving the news: Sen. Ron Wyden (D-Ore.) sent a letter Thursday to the heads of the Justice Department, the Federal Trade Commission and CISA asking them to launch new inquiries into Microsoft's cybersecurity practices.

Why it matters: This marks the first lawmaker request to investigate Microsoft's cybersecurity strategies since the breaches were discovered earlier this month.

What they're saying: "Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident," Wyden writes in the letter.

Catch up quick: Earlier this month, Microsoft disclosed that a China-based hacking group had gained access to email accounts belonging to several government agencies.

Details: Wyden alleges that Microsoft likely failed to store "high-value encryption keys" in a recommended hardware storage vault that would have prevented the hackers from stealing it.

  • Wyden also argues that Microsoft should not have had an encryption key that would allow people to authenticate other accounts in the first place.

Of note: The senator also placed some blame on the federal government for not detecting these alleged poor storage practices during federal procurement cybersecurity reviews.

Between the lines: Wyden is calling on several regulators to act.

  • He's asking CISA director Jen Easterly to direct the Cyber Safety Review Board to investigate the July hacks and Microsoft's security practices around encryption keys.
  • He's also calling on Attorney General Merrick Garland to examine whether "Microsoft’s negligent practices violated federal law."
  • And he's urging FTC chair Lina Khan to investigate Microsoft's privacy and data security practices related to this incident.

The other side: "This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks," a Microsoft spokesperson said in a statement.

  • "We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog."

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper