Sen. Wyden Urges FTC to Investigate Microsoft Over Cybersecurity Failures

U.S. Senator Ron Wyden is pressing the Federal Trade Commission to investigate Microsoft, accusing the company of “gross cybersecurity negligence” that he says has endangered national security and exposed millions of Americans to data breaches. In a September 10 letter to FTC Chairman Andrew Ferguson, Wyden argued that Microsoft’s handling of security has fueled ransomware attacks on critical infrastructure, particularly in health care. He wrote that default settings in the Windows operating system have left organizations vulnerable and that the company’s dominance in enterprise IT leaves many customers with no alternative.

“At this point, Microsoft has become like an arsonist selling firefighting services to their victims,” Wyden said, warning that government agencies and private companies are effectively locked into using the software.

The senator pointed to the May 2024 ransomware attack on Ascension, one of the largest hospital operators in the United States, as evidence of systemic problems. That breach exposed sensitive medical and insurance records of nearly 5.6 million people. According to Wyden, the attack began when a contractor using an Ascension-issued laptop clicked on a malicious link delivered through Microsoft’s Bing search engine. Hackers then gained access to the company’s Microsoft Active Directory server, a key system for managing user accounts. Wyden said Microsoft support for outdated encryption technologyand risky default configurations enabled the breach. He also faulted the company for failing to adequately educate customers about security risks.

Microsoft rejected the characterization. A spokesperson said that the RC4 encryption standard cited by Wyden now accounts for “less than .1% of our traffic” and is already discouraged. Completely disabling it, the company argued, would break existing customer systems. The spokesperson added that RC4 will be disabled by default in some Windows products starting in early 2026, alongside new mitigations for current users. The FTC confirmed receipt of Wyden’s letter but offered no comment. The senator has previously called for federal review of Microsoft’s role in major cyber incidents, including the 2023 breach in which Chinese-linked hackers stole thousands of government emails.