A US government review board said in a scathing report released on Tuesday that a "cascade of security failures" by Microsoft allowed Chinese-backed hackers to break into the email accounts of senior US officials.
The Cyber Safety Review Board concluded that the online intrusion was "preventable" and that Microsoft's corporate culture "deprioritised enterprise security investments and rigorous risk management".
It said that "Microsoft's security culture was inadequate and requires an overhaul" given the company's central role in the global technology ecosystem.
Microsoft products "underpin essential services that support national security, the foundations of our economy, and public health and safety," the report continued.
The panel also made sweeping recommendations, including urging Microsoft to put on hold adding features to its cloud computing environment until "substantial security improvements have been made".
It said Microsoft's CEO and board should institute "rapid cultural change" including publicly sharing “a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products".
'Harden systems against attack'
In a statement, Microsoft said it appreciated the board’s investigation and would "continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries".
The state-backed Chinese hackers broke into the Microsoft Exchange email of 22 organisations and more than 500 individuals.
The report said the hackers accessed some cloud-based email boxes for at least six weeks and downloaded some 60,000 emails from the State Department alone.
Three think tanks and four foreign government entities, including Britain's National Cyber Security Centre, were among those compromised, it said.
The report says the online intrusion was able to succeed due to "the cascade of Microsoft’s avoidable errors".
The board, which was created by a US executive order in 2021, also accused Microsoft of making inaccurate statements about the incident including that it had determined the cause of the intrusion "when in fact, it still has not".
