Microsoft faces regulatory scrutiny as default configurations enabled ransomware attack affecting 5.6 million patients. Racing through hospital corridors during a medical emergency is terrifying enough—but imagine discovering the computer systems can’t access your medical records because hackers crippled the network. That nightmare became reality for Ascension health system patients in 2024, when ransomware shut down operations across 140 hospitals. Now Senator Ron Wyden wants the FTC to investigate Microsoft for what he calls “gross cybersecurity negligence,” and his accusations cut straight to the heart of enterprise software your organization probably uses every day.
How Outdated Defaults Created a Security Disaster
Attackers exploited Microsoft’s continued support for deprecated encryption to steal privileged credentials.
The Ascension breach started when a contractor clicked a malicious link in Bing search results, downloading malware onto a Microsoft laptop. From there, attackers used a technique called “Kerberoasting” to extract authentication credentials from Active Directory—the backbone of most corporate networks. The critical vulnerability? Microsoft still defaults to RC4 encryption, a standard so weak that security experts declared it obsolete in 2015. Your IT department might think they’re running secure systems, but Microsoft’s legacy defaults create hidden attack vectors that hackers exploit with alarming regularity.
The Monopoly Problem No Enterprise Can Escape
Market dominance makes Microsoft’s security choices everyone else’s problem.
Wyden’s letter hits Microsoft where it hurts: their stranglehold on enterprise computing. He compares the company to “an arsonist selling firefighting services” to their victims, pointing out how Microsoft profits from security add-ons while maintaining vulnerable defaults in core products. Most organizations can’t simply switch to alternatives—migrating away from Windows, Active Directory, and Office would cost millions and take years. This trapped-customer dynamic means Microsoft’s security decisions ripple through healthcare systems, government agencies, and Fortune 500 companies whether they like it or not.
Microsoft’s Timeline Falls Short of Urgency
The company promises fixes by 2026 while critics demand immediate action.
Microsoft acknowledges RC4’s weakness but claims instant changes would break legacy systems. Their solution? Gradually phase out RC4 with full deprecation planned for Q1 2026—nearly a decade after security experts sounded the alarm. For context, that’s like Netflix still supporting dial-up internet because some customers haven’t upgraded yet. Cybersecurity expert Ensar Seker notes that “national security is now tightly coupled with the configuration defaults of dominant IT platforms.”
Wyden’s FTC investigation request signals a broader shift in Big Tech accountability. Regulators increasingly expect dominant platforms to secure systems by default rather than selling security as an expensive add-on. For enterprise customers, this controversy highlights an uncomfortable truth: your organization’s security posture depends heavily on vendor choices made in Redmond conference rooms, not your own IT policies.
