Senator Ron Wyden of Oregon has urged the Federal Trade Commission (FTC) to investigate Microsoft for alleged cybersecurity shortcomings that may be exposing customers to ransomware attacks and other threats. The senator’s concerns stem from a 2024 ransomware incident involving the Ascension hospital system, where hackers exploited vulnerabilities in Microsoft’s default settings to steal sensitive patient information. Microsoft Faces Scrutiny continues as lawmakers highlight systemic cybersecurity weaknesses.
Default Settings Under Fire
The ransomware attack on Ascension affected over 5.6 million patients, compromising personal, medical, payment, insurance, and government ID data. According to Wyden’s staff, the breach began when a contractor using Microsoft’s default browser, Edge, clicked a phishing link while using Bing’s search engine. This led to malware spreading across Ascension’s network and gaining administrative access through Active Directory, a Microsoft tool that manages user accounts. Senator Ron Wyden has urged the Federal Trade Commission (FTC) to investigate Microsoft for these alleged shortcomings. The incident is one of the key reasons Microsoft Faces Scrutiny from regulators and cybersecurity experts.
Hackers used a method called Kerberoasting, which takes advantage of outdated encryption protocols. Specifically, the attackers exploited RC4, a 1980s encryption standard still supported by default in Microsoft’s systems. Experts have long warned that RC4 is weak and prone to attacks, yet it remains enabled for compatibility reasons. Microsoft Faces Scrutiny partly because such outdated security protocols remain in use by default.
“This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts have for more than a decade warned is dangerous,” Wyden’s letter to the FTC explained.
Though safer encryption methods such as the Advanced Encryption Standard (AES) exist and are widely recommended by cybersecurity agencies, Microsoft’s default configurations continue to support weaker protocols. Wyden questioned why Microsoft had not phased out RC4, arguing that the company’s choices unnecessarily put its customers at risk. Microsoft Faces Scrutiny grows louder with these concerns over default encryption practices.
Microsoft’s Response
A Microsoft spokesperson responded by stating that while RC4 is discouraged and comprises less than 0.1% of their traffic, completely disabling it could disrupt existing systems. The company emphasized its gradual approach to reducing RC4’s use, including warnings and advice for safer usage. Microsoft Faces Scrutiny, however, as critics argue this phased plan is too slow given the risks.
Microsoft’s spokesperson added: “Disabling its use completely would break many customer systems. For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible.”
The company also announced plans to disable RC4 by default in Active Directory installations beginning in the first quarter of 2026. However, broader removal of the protocol from other systems is still being considered without a clear timeline. These delays are another reason Microsoft Faces Scrutiny in Washington and across the cybersecurity industry.
Broader Cybersecurity Implications
The attack on Ascension highlights the challenges many organizations face when default software settings prioritize compatibility over security. In theory, administrators can change these settings, but Wyden pointed out that in practice, most organizations rely on default configurations, leaving them vulnerable. Microsoft Faces Scrutiny as these default choices play a role in widespread vulnerabilities.
“Microsoft chooses the default settings, including the security features that are enabled automatically and the required security settings (e.g. minimum password length),” Wyden wrote. “While organizations can change those settings, in practice, most do not.”
The ransomware incident and Wyden’s call for investigation underscore the growing concerns around cybersecurity practices in critical infrastructure sectors like healthcare. Cyber threats exploiting outdated protocols can lead to widespread disruptions and significant data breaches. Microsoft Faces Scrutiny remains central in this debate about default security priorities.
Looking Ahead
Microsoft’s roadmap to phase out insecure protocols, though underway, faces criticism for being too slow given the risks involved. With ransomware attacks becoming more frequent and sophisticated, experts emphasize the need for proactive measures, including default security configurations that prioritize protection over convenience. Microsoft Faces Scrutiny will likely continue until these changes are fully implemented.
As cyber incidents continue to impact businesses, healthcare providers, and public services, ensuring that default settings align with best practices will be essential for safeguarding sensitive information and minimizing vulnerabilities.
Further developments are expected as cybersecurity watchdogs and industry experts continue to evaluate Microsoft’s response and monitor the implementation of stronger security standards. Microsoft Faces Scrutiny will remain a headline issue in the ongoing conversation around corporate cybersecurity accountability.
Also Read: LNER Warns Customers After Cyber-Attack Exposes Passenger Data
