A recent report from the Cyber Safety Review Board (CSRB) highlights significant security flaws in Microsoft's systems, leading to a breach by hackers associated with China. The report points out that Microsoft's lax security measures allowed the hackers to access the company's networks, compromising the emails of senior US officials.
The CSRB identified multiple vulnerabilities in Microsoft's authentication system that were exploited by the hackers, granting them unauthorized access to Exchange Online accounts worldwide. This breach affected high-profile individuals such as Commerce Secretary Gina Raimondo and US Ambassador to China R. Nicholas Burns.
One of the key criticisms in the report is Microsoft's failure to adequately protect its signing keys, which facilitated the hackers' intrusion. Additionally, the board noted that Microsoft did not detect the compromised accounts independently, relying on a customer report to identify the issue.
The CSRB emphasized that the breach was preventable and attributed it to deficiencies in Microsoft's security culture. The board called for a comprehensive overhaul of Microsoft's security practices, given the company's pivotal role in the technology ecosystem and the trust placed in it by customers.
In response to the report, Microsoft acknowledged the need for a new approach to security within its networks. The company stated that it is actively working to enhance its security infrastructure, address legacy vulnerabilities, and enforce stricter security protocols.
Furthermore, the CSRB criticized Microsoft for inaccuracies in its public statements regarding the root cause of the breach. Despite initially claiming to have identified the cause in September 2023, Microsoft later admitted its error to the board, leading to a delayed correction in March 2024.
Given Microsoft's critical role in national security and the global economy, the CSRB emphasized the urgency for the company to swiftly and substantially improve its security measures to mitigate future risks.
