The American hospital system was attacked by hackers, and a senator urges the FTC to investigate Microsoft Corporation's (MSFT.US) network security vulnerability.

Democratic Senator Ron Wyden from Oregon wrote a letter to Federal Trade Commission (FTC) Chairman Andrew Ferguson, publicly accusing Microsoft Corporation (MSFT.US) of having significant network security vulnerabilities that resulted in ransomware attacks on US hospital systems, and has called for the FTC to launch an investigation. The Democratic senator from Oregon accused Microsoft Corporation of "serious network security negligence," stating that this negligence led to ransomware attacks on critical infrastructure in the United States. He cited the 2024 Ascension Health System incident as an example: as one of the largest non-profit healthcare systems in the US, Ascension was forced to shut down multiple hospital computer systems due to a hacker attack, resulting in surgical delays and the exposure of sensitive data of over 5 million patients. Wyden's office investigation found that the attack originated from Bing returning a malicious link to a contractor, who clicked on it and fell victim, allowing hackers to infiltrate the Ascension network. They then used the insecure encryption technology RC4 supported by default in the Windows system, and used Kerberoasting attack methods to crack privileged account passwords, ultimately leading to the system breach. Wyden emphasized that Microsoft Corporation has long been using "old and insecure" RC4 encryption technology, allowing hackers to easily crack account passwords, and the company has concealed this risky decision from enterprise and government clients. He pointed out that this negligence results in "a single employee clicking on a link can lead to ransomware infecting the entire organization," and Microsoft Corporation not only failed to effectively prevent attacks, but also allowed "ransomware proliferation caused by dangerous software." Although Microsoft Corporation spokesperson David Cady responded that RC4 is an "old standard" accounting for less than 0.1% of its traffic, and that the company is gradually reducing its customers' use and planning to disable the technology by default in new installations of Active Directory systems starting in 2026, Wyden believes that the majority of Microsoft Corporation customers are still exposed to attack risks. It is worth noting that this is not the first time Wyden has criticized Microsoft Corporation. In July 2024, he already raised questions with Microsoft Corporation executives about kerberos security issues, prompting the company to release a technical blog in October of the same year advising organizations on how to prevent attacks and announcing the development of updates to disable RC4. However, the update has not been officially released yet, leaving government agencies, non-profit organizations, and other customers vulnerable to hacker attacks. Wyden warned that if the FTC does not take action, Microsoft Corporation's "neglectful corporate culture towards network security" and "operating system market dominance" will pose a national security threat, making more hacker attacks inevitable. The FTC did not comment on the matter, and Ascension Health System did not respond to interview requests.