Push for FTC to Investigate Microsoft

U.S. Senator Ron Wyden has formally requested the Federal Trade Commission to examine Microsoft for what he describes as significant cybersecurity shortcomings. The request cites repeated security incidents and raises questions about the company’s role in safeguarding critical infrastructure.

Senator highlights cybersecurity risks

In a letter addressed to FTC Chairman Andrew Ferguson, Wyden emphasized that Microsoft’s approach to cybersecurity continues to pose potential threats to national security. The senator referenced ransomware attacks affecting infrastructure and healthcare organizations, which he attributes in part to default Windows system configurations.

Wyden characterized Microsoft as a company that, due to its extensive presence in enterprise IT, leaves organizations with limited choices but to rely on its products. He noted that this near-monopoly status amplifies the implications of any security gaps.

Ransomware incidents cited

A key example presented in the letter was a ransomware attack on the hospital operator Ascension in May 2024. According to Wyden, the attack exposed private medical and insurance data for approximately 5.6 million individuals. The breach reportedly occurred when a contractor using an Ascension laptop interacted with a malicious link served via Microsoft’s Bing search engine, ultimately providing hackers access to the organization’s network and its Microsoft Active Directory server.

Wyden suggested that outdated encryption technology and default security configurations contributed to the vulnerability exploited during this incident. He also noted that companies may not have sufficient guidance on mitigating these risks.

Microsoft response on encryption and mitigations

A Microsoft spokesperson addressed the concerns regarding the RC4 encryption standard mentioned in Wyden’s letter, explaining that the protocol is outdated and accounts for less than 0.1% of network traffic. The spokesperson emphasized that while Microsoft discourages its use, completely disabling it could disrupt customer systems.

Microsoft indicated that RC4 will be disabled by default in select Windows products starting in the first quarter of 2026. Additional mitigations and guidance are planned for existing deployments to reduce exposure while maintaining operational stability.

FTC involvement

The FTC acknowledged receipt of Wyden’s letter but declined to provide further comments. The senator has previously advocated for government oversight of Microsoft’s cybersecurity practices, particularly following disclosures of cyberattacks linked to foreign actors that targeted U.S. government officials.

Broader implications for enterprise IT

Wyden’s request underscores broader concerns about the security of enterprise IT systems. As Microsoft products are widely used across government agencies and private companies, any gaps in security or outdated protocols have the potential to impact numerous sectors. The discussion also raises considerations about regulatory oversight and the responsibility of large technology firms in mitigating cybersecurity risks.

Microsoft’s approach to security updates

Microsoft has emphasized gradual changes aimed at enhancing security without disrupting customers. The company maintains that it provides warnings and guidance to ensure safe use of legacy technologies and continues to implement security updates across its platforms.

Push for FTC to Investigate Microsoft as US Senator Wyden Calls for Action

Senator Wyden’s request represents a call for regulatory scrutiny of Microsoft’s cybersecurity practices. It highlights the intersection of corporate responsibility, technology standards, and national security concerns, prompting ongoing discussion about how large technology firms manage risk and support their customers in preventing cyber threats.