Microsoft’s ‘cascade of security failures’ blamed for Chinese hack of U.S. officials

A “cascade of security failures” at Microsoft allowed a state-backed Chinese hacking group to access the email accounts of senior U.S. government officials last year, according to a blistering report from a cybersecurity review board released Wednesday.

The report from the U.S. Cyber Safety Review Board, created in 2021 by U.S. President Joe Biden, describes widespread issues with the tech giant’s culture of corporate security and transparency, including shoddy cybersecurity practices that have been left unaddressed for years. It says Microsoft needs to completely overhaul that security culture to ensure such a “preventable” breach doesn’t happen again.

Most concerningly, the board found Microsoft still doesn’t know how the hackers broke in — despite public statements at the time saying otherwise, which remained uncorrected for months.

“Unfortunately, throughout this review, the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management,” the report says.

“These decisions resulted in significant costs and harm for Microsoft customers around the world. The Board is convinced that Microsoft should address its security culture.”

The intrusion, which began in May 2023 and was first identified by the U.S. State Department the following month, impacted the Microsoft Exchange Online emails of 22 organizations and more than 500 individuals around the world. Those included some of the top U.S. government officials managing the U.S.-China relationship, such as U.S. Commerce Secretary Gina Raimondo and the U.S. ambassador to China, Nicholas Burns.

The Chinese government-affiliated hacking