Last year, Microsoft revealed that a Chinese hacking group dubbed "Storm-0558" caused a security breach that accessed the email accounts of approximately 25 organizations, including U.S. government agencies. The Federal Cyber Security Review Board issued a report on the incident, noting that "a chain of avoidable mistakes by Microsoft allowed this intrusion to succeed." Ouch.

The Cyber Safety Review Board is comprised of officials from several U.S. government departments and agencies, including the Department of Homeland Security, the NSA, and the FBI (via Ars Technica), as well as several industry leaders, who, under orders from President Biden in response to this attack, prepared a report [pdf] that The report [pdf] was ordered by President Biden in response to the attack.

In a somewhat scathing review, the committee found that not only were Microsoft's security practices "lacking" compared to other cloud providers, but that official statements issued in connection with the attack were "inaccurate" and not timely corrected.

Microsoft announced at the time that the consumer signature key used to forge a token for a cloud service that stored login keys was obtained by Storm-0558, which was caused by a code-based verification error, and later engineered this explanation account was hacked and changed the claim to be caused by a "human error" that allowed an expired signature key to be used to forge tokens.

However, the report reveals that Microsoft has yet to determine the exact root cause of the breach, and that the company did not update its blog post about the attack until March of this year, about the same time the Board concluded its review, and that "Microsoft will announce a fix . after the Board had repeatedly questioned it about its plans," he noted.

The attack itself was originally detected by State Department officials last June, who then notified Microsoft of the breach. The report was based on the fact that the Department had paid for a higher level of Microsoft's cloud service, which allowed it to set up alerts for noteworthy email access.

In summary, the report recommends a renewed focus on security culture to prevent future security failures, a shift in feature development priorities to security improvements, accountability for customer security outcomes, detection and prevention of future intrusions, or quantifiable tools for customers, and several other recommendations.

"Microsoft products and services are everywhere. It is one of the most important technology companies in the world.

"Unfortunately, through this review, the Board has identified a series of operational and strategic decisions that demonstrate that Microsoft's corporate culture has neglected both corporate security investments and rigorous risk management. These decisions resulted in significant costs and harm to Microsoft customers worldwide. The Board believes that Microsoft should address its security culture.

While the report is reprehensible in its findings, Microsoft is not the only victim of hacking groups attempting to break into major security networks; Storm-0558 stole authentication keys for cloud services from a global provider It has been noted that it has a history of stealing authentication keys for cloud services from global providers and becoming a threat in the process.

Still, it is a serious slap in the face for Microsoft, and a summary that does not refrain from criticism of the company's security practices. Given that Microsoft's Azure cloud platform is used by a huge number of major companies and institutions to handle potentially very sensitive data, it may be a wake-up call for the company to focus on security concerns to prevent customers from looking elsewhere .