A “cascade of errors” by tech giant Microsoft led to Chinese hackers accessing the email accounts of senior US officials, a scathing report revealed.
The Biden-appointed Cyber Safety Review Board (CSRB) said it found “operational and strategic decisions” led to the July breach.
The report released on Tuesday outlined Microsoft’s failures including subpar cybersecurity practices, a lax corporate culture and a lack of sincerity about the knowledge of a targeted breach.
The review board also made recommendations to the trillion dollar company to prevent a catastrophe of this magnitude from happening again.
It concluded that Microsoft’s security culture was “inadequate” and “requires an overhaul” and the company was blasted for what they deemed a “preventable” intrusion that should “never have occurred.”
“The Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products,” the review board wrote.
It also revealed that Microsoft still doesn’t know how the hackers got in, according to AP.
“While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” a Microsoft spokesperson said in a statement.
The company added that it would “continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries.”
In July, Storm-0558, a China-based threat actor with espionage objectives, broke into the emails of a total of 22 organizations and more than 500 people globally, including US ambassador to China, Nicholas Burns.
In a blog post, Microsoft said that the same group has been engaged in similar intrusions — compromising cloud providers or stealing authentication keys so it can break into accounts — since at least 2009, targeting companies including Google, Yahoo, Adobe, Dow Chemical and Morgan Stanley.
——————————————————–