Microsoft Admits Security Lapse Allowing China to Hack US Government Emails

Avatar

Published on:

Microsoft Admits Security Lapse Allowing China to Hack US Government Emails

Microsoft Admits Security Failings: Chinese Hackers Accessed US Government Emails

Microsoft President Brad Smith acknowledged the company's security failures that allowed Chinese state hackers to access US government officials' emails in the summer of 2023. During a testimony before the US House Committee on Homeland Security on June 13, 2024, Smith accepted full responsibility for the issues highlighted in a Cyber Safety Review Board (CSRB) report.

The CSRB report, released in April 2024, detailed a series of security lapses that enabled the Chinese threat actor Storm-0558 to compromise email accounts of 25 organizations, including US government officials. The attackers exploited Microsoft's encryption key and authentication system flaws to gain unrestricted access to Exchange Online accounts worldwide.

The investigation pointed to a deficient security culture at Microsoft and identified flaws in its mergers and acquisitions (M&A) security assessment process. The CSRB report also provided 25 cybersecurity recommendations to Microsoft and other cloud service providers to prevent future intrusions.

In his statement, Smith underscored Microsoft's critical cybersecurity role and acknowledged the rising threat landscape due to global conflicts like the Russia-Ukraine war. He expressed regret for the impact of the Storm-0558 attack and outlined Microsoft's commitment to strengthening cybersecurity measures based on the CSRB's recommendations.

Microsoft is implementing a new key management system, enhancing detection capabilities, and prioritizing security across its operations. The company is also bolstering its security workforce and establishing an Office of the CISO to oversee security integration in engineering processes.

Additionally, Microsoft announced a delay in the roll-out of its Recall AI feature for Copilot and Windows PCs to conduct further security testing. The delay follows privacy concerns and feedback from the Windows Insider Community.

Smith emphasized Microsoft's dedication to learning from past mistakes and building a secure future through new strategies, increased investments, and a reinforced cybersecurity culture.

Related Posts

সঙ্গে থাকুন ➥