Ron Wyden: Microsoft Should be Held Accountable for Security Breaches (He Has Said This for Years Already, It Never Happens)

posted by Roy Schestowitz on Sep 11, 2025,
updated Sep 11, 2025

Suppose I leave a door open and thousands of cockroaches run in for a period of several hours. Whose fault is it? The cockroaches' fault? Or mine? Suppose I also leave food in the hallway, attracting them in.

Now take Microsoft: it takes two parties to make systems and databases (with personal information) vulnerable, i.e. doomed to be penetrated. Microsoft makes the holes, then someone deploys the holes. Forget about blaming "China" and "Russia". There's no extradition prospect and holding Russians accountable in much of the world is complicated, more so if they reside and stay in Russia. In the fake news reports, many so-called (self-described) "journalists" help Microsoft by deflecting the blame, passing culpability from Microsoft to "China" and "Russia" (knowing they cannot be held accountable). Sometimes they instead blame "Iran" and "North Korea". Microsoft, the culprit, then paints itself as the "victim" of those "rogue" nations. What a reversal of reality! Some of those phony "journalists" (PR bunnies) then paint Microsoft as the expert or saviour. That's just grotesque.

Now consider this new report, "Appeal court orders release of convicted psychotherapy centre database hacker" (who cannot pay and whose imprisonment costs the state money).

"If the court reduces his sentence," it says, "there's a risk that Aleksanteri Kivimäki will have spent too much time in prison — and then be able to demand compensation from the state."

So taxpayers will pay him even more? This is what Yle says, we're not making it up:

How was this database compromised? Whose fault was it?

Was this Windows TCO, as usual?

"The United States has placed an $11 million bounty on Volodymyr Tymoshchuk, a Ukrainian man wanted for his involvement with a string of ransomware cybercrimes," says [1]. Here's another example of Windows TCO: "Akira is also poking holes in SonicWall SSLVPN misconfigurations, abusing all of these security risks to gain access to vulnerable devices and conduct ransomware attacks" [2] and Ron "Wyden, whose staff interviewed or spoke with Ascension and Microsoft staff as part of the senator’s oversight," [3] wants "the Federal Trade Commission (FTC) investigate and hold Microsoft responsible for its gross cybersecurity negligence" [4]. There are other Windows TCO stories in today's news [5] and it seems the US government is willing to spent a lot of taxpayers' money chasing someone who cannot pay it back [6] "after allegedly orchestrating ransomware operations" (Windows TCO).

This does not make any sense. So a lot of money is lost and then they want to spend more money without ever holding the principal culprits (who are rich) responsible.

"He is only 1 of n perpetrators," an associate said of the one who was put in prison (and might soon get more money from the state), plus "they still have not identified and prosecuted those involved in deploying Microsoft products into a production environment and thus laying the groundwork for his break-in."

The associate added that "the recent letter by Senator Wyden could form the basis for an article or two" because "Wyden's letter and the related article are in [Daily] Links," and moreover reproduced again below.

Wyden has been talking about this for a very long time. But it never happens. Microsoft and Bill Epsteingate seem to have bribed enough US politicians to look the other way or write birthday cards to Bill's mate.

When will we see Microsoft being compelled to pay multi-billion-dollar fines for its shoddy security? Negative media coverage isn't a fine and it does nothing to compensate Microsoft's billions of victims. █

Related/contextual items from the news:

1. U.S. places $11 million bounty on Ukrainian ransomware mastermind — Tymoshchuk allegedly stole $18 billion from large companies over 3 years

   The United States has placed an $11 million bounty on Volodymyr Tymoshchuk, a Ukrainian man wanted for his involvement with a string of ransomware cybercrimes. Tymoshchuk faces severe federal charges for his part in reportedly masterminding the theft of a combined $18 billion over a three year period.

2. Akira ransomware crims abusing trifecta of SonicWall flaws

   Akira is also poking holes in SonicWall SSLVPN misconfigurations, abusing all of these security risks to gain access to vulnerable devices and conduct ransomware attacks, according to a Rapid7 warning on Wednesday.

3. Wyden calls on FTC to investigate Microsoft for ‘gross cybersecurity negligence’ in protecting critical infrastructure

   Wyden, whose staff interviewed or spoke with Ascension and Microsoft staff as part of the senator’s oversight, said the attack “perfectly illustrates” the negative consequences of Microsoft’s cybersecurity policies.

4. Letter from Senator Wyden to FTC Chair Andrew Ferguson

   I write to request that the Federal Trade Commission (FTC) investigate and hold Microsoft responsible for its gross cybersecurity negligence, resulting in ransomware attacks against critical infrastructure, including U.S. health care organizations, which have caused enormous harm to health care providers, put patient care at risk, and continues to threaten U.S. national security.

5. S-bank fined €1.8m for lax data security

   The Office of the Data Protection Ombudsman has issued a warning and an administrative penalty of 1.8 million euros to S-Bank for a data security breach in the bank's identification service in 2022.

   The decision is not yet legally binding, as it may still be appealed to an administrative court.

6. US indicts alleged ransomware boss tied to $18B in damages

   A Ukrainian national faces serious federal charges and an $11 million bounty after allegedly orchestrating ransomware operations that caused an estimated $18 billion in damages across hundreds of organizations worldwide.