US hospital system hacked, senator urges FTC to investigate Microsoft (MSFT.US) cybersecurity breach
The Zhitong Finance App learned that US Senator Ron Wyden of the Democratic Party of Oregon sent a letter to Federal Trade Commission (FTC) Chairman Andrew Ferguson publicly accusing Microsoft (MSFT.US) of having an obvious cybersecurity flaw, causing the US hospital system to be attacked by ransomware, and has called on the Federal Trade Commission to launch an investigation.
The Democrat from Oregon accuses Microsoft of “serious cybersecurity omissions,” saying this oversight led to ransomware attacks on America's critical infrastructure. In his letter, he used the 2024 Ascension healthcare system incident as an example: as one of the largest non-profit healthcare systems in the US, Ascension was forced to shut down computer systems in many hospitals due to hacking attacks, causing operations to be suspended and sensitive data leaked from more than 5 million patients.
Investigations by Wyden's office revealed that the attack began when Bing returned a malicious link to a contractor. After clicking, the hacker invaded the Ascension network, then used RC4 unsafe encryption technology supported by the Windows system to crack privileged account passwords through Kerberoasting attacks, and eventually invaded the system.
Wyden stressed that Microsoft has long used the “ancient and unsafe” RC4 encryption technology to make it easy for hackers to crack account passwords, and the company hid this dangerous decision from enterprises and government customers. He pointed out that this negligence caused “a single employee to mislink to trigger an organization-wide ransomware infection”. Not only did Microsoft not effectively stop the attack, but instead allowed “ransomware caused by dangerous software to proliferate.”
Although Microsoft spokesman David Cardi responded that RC4 is the “old standard,” accounting for less than 0.1% of its traffic, and that the company is gradually reducing customer usage and plans to disable the technology by default in newly installed Active Directory systems starting in 2026, Wyden believes that the vast majority of Microsoft customers are still exposed to the risk of attacks.
Notably, this isn't the first time Wyden has criticized Microsoft. In July 2024, he raised questions about Kerberos security with senior Microsoft officials, prompting the company to publish a technical blog in October of that year to guide organizations in preventing attacks, and announced the development of an update to ban RC4.
However, the update has yet to be officially released, so it is likely that customers such as government agencies and non-profit organizations are still vulnerable to hacking. Wyden warned that if the Federal Trade Commission does not act, Microsoft's “corporate culture that ignores cybersecurity” and its “de facto monopoly position in the operating system market” will pose a national security threat, making more hacker attacks inevitable.
The Federal Trade Commission did not comment on this, and Ascension did not respond to requests for interviews.