Microsoft May Face FTC Investigation Over Chinese Email Hack (Exclusive) | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

The Federal Trade Commission may investigate whether Microsoft violated a 20-year-old cybersecurity promise to the commission by failing to prevent a May hack into its customers’ email accounts that it only disclosed recently, according to a letter obtained exclusively by The Messenger.

“The Commission will ‘shift resources to order compliance and enforcement, especially against the largest respondents,’” FTC Chair Lina Khan said in an Oct. 18 letter to Sen. Ron Wyden (D-Ore.), quoting from language included in a 2021 FTC report to Congress. “We will continue to work to deter corporate recidivism.”

In July, Microsoft announced that suspected Chinese government hackers had breached roughly 25 of its customers, including the Commerce and State departments, where the hackers stole emails from senior officials preparing for diplomatic meetings. In September, the company admitted that the hackers took advantage of poorly designed Microsoft software to steal powerful account security keys, which tell the company’s servers to grant access to certain accounts.

In failing to construct systems to prevent this attack, Microsoft may have violated a legally binding promise to the FTC.

In August 2002, Microsoft reached a settlement with the FTC over charges that it failed to protect customer data collected through several of its services. The settlement, which expired last December, required Microsoft to “establish and maintain a comprehensive information security program in writing that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers,” among other things.

In July,  Wyden sent a letter urging Khan to “take all necessary steps” to hold Microsoft responsible “for any violations of that order” from 2002. More generally, he also pressed Khan to “determine if Microsoft violated federal laws enforced by the Federal Trade Commission, including those prohibiting unfair and deceptive business practices.”

In her response to Wyden, Khan walked a careful line. She didn’t promise to open an investigation into Microsoft’s possible violation of the settlement, but she did reference the FTC’s fight against “corporate recidivism” and acknowledge the 2002 settlement — potentially signaling her intention to look into the matter.

Microsoft and the FTC did not provide comments on Khan’s letter.

Federal Trade Commission Chair Lina Khan speaks during a discussion on antitrust reforms at the Brookings Institution in Washington, DC.
Federal Trade Commission Chair Lina Khan speaks during a discussion on antitrust reforms at the Brookings Institution in Washington, DC.Drew Angerer/Getty Images

Khan told Wyden that the FTC was committed to scrutinizing the cybersecurity postures of cloud companies in general, pointing to the commission’s recent request for public feedback on the best ways to oversee the industry.

“We have seen that large swathes of the economy are becoming more reliant on the cloud, yet only a small handful of providers are currently equipped to provide this key infrastructure,” she told the senator.

But while the FTC is clearly interested in studying the cybersecurity consequences of weak competition in the cloud industry, it is less certain that Khan will seek to punish Microsoft over the email breach. For one thing, it is unclear whether the commission would be able to establish that Microsoft could have reasonably foreseen and corrected the highly technical failures that enabled the Chinese hack.

Still, Khan may be looking for ways to reassure critics that the FTC can still crack down on companies with near-monopolistic grips on their markets — especially Microsoft. Her antitrust agenda suffered a major blow in July when a federal court threw out the FTC’s attempt to block Microsoft from purchasing the video game maker Activision Blizzard.

Khan is a fiery critic of what she describes as unchecked corporate power and large businesses’ disregard for consumer harm, and taking on Microsoft again would fit right into her strategy.

“I share your deep concern about this incident,” Khan told Wyden, adding that “U.S. government agencies and specific U.S. consumers may have been gravely harmed.”

Wyden said he was pleased by Khan’s response.

“Microsoft’s security failures led to the Chinese government hacking into the emails of senior U.S. government officials,” he said in a statement. “Microsoft needs to be held accountable and I’m glad the FTC is taking this incident seriously.”


Click Here For The Original Story From This Source.

National Cyber Security