Senator Presses For FTC Probe of Microsoft for Cybersecurity Negligence

Senator Ron Wyden has formally requested that the Federal Trade Commission investigate Microsoft, accusing the company of “gross cybersecurity negligence.”

Andy Edser of PC Gamer reports that Wyden’s letter focuses on the company’s continued support for the RC4 encryption cipher. His office contends that the major ransomware breach at healthcare provider Ascension was directly enabled by RC4.

The senator alleges that Microsoft’s software engineering decisions have left critical systems vulnerable, exposing hospitals and other institutions to devastating attacks.

RC4 was first introduced in 1987 and quickly became a widely adopted encryption method until its weaknesses were exposed in the 1990s.

Despite industry-wide movement toward stronger standards, RC4 remains supported in Microsoft’s Windows operating system, specifically within Active Directory, a tool used for account and system administration.

Wyden’s office concluded that this support enabled “Kerberoasting” techniques, which attackers used to escalate privileges and spread ransomware during the Ascension breach.

That incident compromised sensitive data from 5.6 million patients, after hackers exploited the encryption flaw to move laterally across the provider’s network.

The senator’s letter accuses Microsoft of failing to provide a timely fix despite acknowledging the vulnerability and issuing guidance. He also criticizes the company for profiting from selling cybersecurity add-on services while leaving base software insecure, like “an arsonist selling firefighting services.”

Microsoft responded that RC4 accounts for less than 0.1% of traffic, and disabling it outright would disrupt customer systems.

The company stated it plans to disable RC4 by default in Windows Server 2025 and introduce further protections for existing deployments.

Legal teams for companies that continue to support outdated encryption or delay remediation efforts should be aware of possible investigations. They also risk enforcement actions and liability tied to the downstream harms caused by vulnerable software.