U.S. Senator Ron Wyden has escalated concerns about Microsoft’s cybersecurity practices, formally requesting the Federal Trade Commission (FTC) to launch an investigation into the tech giant. In a strongly worded letter, Wyden accused Microsoft of “gross cybersecurity negligence”, pointing to its failure to address well-documented security risks that left healthcare organizations vulnerable to devastating ransomware attacks.
The tipping point came after the Ascension Health ransomware breach in May 2024, where the personal data of 5.6 million patients was compromised. According to reports, the incident began when a contractor unknowingly clicked on a malicious Bing search result in Microsoft Edge, triggering a Kerberoasting attack. This method exploits Microsoft’s Active Directory authentication system, enabling hackers to steal encrypted service account credentials and crack them offline.
At the heart of the controversy is Microsoft’s continued support of the outdated RC4 encryption algorithm within Kerberos authentication. RC4, once widely used, is now recognized as dangerously insecure and easily broken with brute-force tools. Attackers can leverage these vulnerabilities to escalate privileges and move laterally through a compromised network, as seen in the Ascension case. Wyden argued that keeping RC4 available—despite safer alternatives like AES-128/256—is reckless and jeopardizes critical infrastructure security.
Wyden’s office reportedly urged Microsoft in July 2024 to warn customers about RC4’s risks and make stronger encryption options the default. However, Microsoft only published a highly technical blog post in October, which the Senator criticized for failing to effectively reach decision-makers at healthcare organizations and other critical sectors. Wyden asserts that without clear and actionable communication, organizations remain dangerously exposed.
Microsoft, in response, insists that RC4 is used in less than 0.1% of its traffic and is retained primarily to support legacy systems that cannot transition to stronger algorithms. A company spokesperson emphasized that RC4 is “discouraged” in both engineering and documentation, but completely disabling it would “break many customer systems.” Microsoft further stated it has a roadmap to eventually phase out RC4 while balancing security improvements with customer stability.
Despite Microsoft’s assurances, Wyden frames the issue as a national security threat, warning that unless the FTC intervenes, the company’s negligence combined with its dominant position in enterprise systems could lead to more catastrophic breaches. “Without timely action, Microsoft’s culture of negligent cybersecurity… makes additional hacks inevitable,” Wyden wrote.
Conclusion
The dispute highlights the growing tension between policymakers and Big Tech over cybersecurity accountability. As critical infrastructure increasingly depends on Microsoft systems, the company’s handling of legacy encryption like RC4 has become more than just a technical matter—it’s a question of public trust and national security. Whether the FTC takes action may set a precedent for how U.S. regulators enforce security standards in the tech industry.
