Senator Wyden Blames Microsoft's RC4 Encryption for 5M Patient Data Exposure

Generated by AI AgentMarket Intel
Wednesday, Sep 10, 2025 10:05 am ET2min read
MSFT
--
Aime RobotAime Summary

- Senator Ron Wyden accused Microsoft of "serious network security negligence" after a ransomware attack exposed data for 5 million Ascension patients.

- Hackers exploited outdated RC4 encryption in Windows systems via a malicious Bing link, using Kerberoasting to crack privileged account passwords.

- Microsoft claims RC4 accounts for <0.1% of traffic and plans to disable it by 2026, but Wyden argues most customers remain vulnerable to similar attacks.

- Wyden warned the FTC that Microsoft's "monopolistic position" combined with security neglect could threaten national infrastructure and public trust.

Senator Ron Wyden, a Democrat from Oregon, has publicly criticized

Microsoft
for its network security vulnerabilities, which he claims have led to a ransomware attack on a major U.S. hospital system. In a letter to the Federal Trade Commission (FTC) Chairman Andrew Ferguson, Wyden accused Microsoft of "serious network security negligence," citing the recent attack on Ascension, one of the largest non-profit healthcare systems in the U.S. The attack resulted in the shutdown of multiple hospital computer systems, the suspension of surgeries, and the exposure of sensitive data for over five million patients.

The attack on Ascension began when a malicious link was returned by Bing to a contractor, who clicked on it, allowing hackers to infiltrate the network. The hackers then exploited an outdated and insecure encryption technology, RC4, which is still supported by Windows systems. Using a technique known as Kerberoasting, the attackers were able to crack privileged account passwords and gain full access to the system. Wyden's office investigation revealed that the attack was facilitated by Microsoft's long-term use of the "ancient and insecure" RC4 encryption technology, which allowed hackers to easily break into account passwords. He also accused Microsoft of hiding this dangerous decision from its enterprise and government clients, leading to a situation where "a single employee clicking on a malicious link can cause a ransomware infection across the entire organization."

Microsoft spokesperson David Cardy responded to the criticism by acknowledging that RC4 is an "old standard" that accounts for less than 0.1% of their traffic. The company stated that it is gradually phasing out the use of RC4 and plans to disable it by default in new installations of Active Directory by 2026. However, Wyden argued that the majority of Microsoft's customers are still at risk due to the continued use of this insecure technology. This is not the first time Wyden has criticized Microsoft. In July 2024, he questioned the company's leadership about Kerberos security issues, leading to the release of a technical blog post in October 2024. The blog post provided guidance on how organizations can protect themselves from such attacks and announced the development of an update to disable RC4. However, this update has yet to be officially released, leaving government agencies and non-profit organizations vulnerable to further attacks.

Wyden has warned that if the FTC does not take action, Microsoft's "culture of neglecting network security" combined with its "monopolistic position in the operating system market" could pose a significant threat to national security. He believes that more cyberattacks are inevitable unless Microsoft takes more proactive measures to address these vulnerabilities. The FTC has not commented on the matter, and Ascension has not responded to requests for an interview. The situation highlights the urgent need for stronger cybersecurity measures and accountability in the tech industry to protect critical infrastructure and sensitive data from cyber threats.

Comments



Add a public comment...
No comments

No comments yet