Microsoft Security Breaches: What Have We Learned 3 Months After March 2021 Attacks?

Some good news for Microsoft: The company has announced the launch of Windows 11, and it has generated plenty of buzz, although not all of it positive. This is Microsoft, after all, and as one tech reporter put it, “No matter what Microsoft does, there’s an outcry of righteous indignation”.

But regardless if you are excited for Windows 11, trepidatious or simply don’t care, the announcement has generated the right kind of news for a company that was most often in the headlines for the wrong reasons this year, notably when it comes to security.

Back in March 2021, there was the Microsoft Exchange Server hack. And while it is almost forgotten about in our world of short-attention-span media coverage, it was a hugely significant event – and an incredibly embarrassing event for Microsoft.

Another Microsoft vulnerability exposed

And, just as this article was being prepared, news rolled in on Reuters newswire that Microsoft had suffered another breach on June 25th, which was linked back to the December 2020 attack that targeted Microsoft, VMware and SolarWinds – informally known as the SolarWinds hack.

Both of these events were among the most significant cyber-attacks in recent years. And both have consequences that go beyond Microsoft patching up vulnerabilities in its systems. For instance, CNBC claimed that the March 2021 attack “could lead companies to spend more on security software and adopting cloud-based email instead of running their own email servers in-house.”.

While it did not make the headlines outside of the tech circles, there was also the embarrassing episode in April that saw Microsoft Teams (and Zoom) hacked relatively easily by ‘benevolent’ hackers in a competition designed to show vulnerabilities in popular products. Another breach in Teams was exposed by Evan Grant in June, who detailed the problem in a Medium blog post.

Company able to shrug off security concerns

And yet, so far, Microsoft has been able to shrug all of this off. Yes, there has been much consternation about Microsoft’s response to fixing some of the issues. But it’s almost as if we accept Microsoft as being ubiquitous, and that leads to an acceptance of the inevitability of security breaches in the companies products. Had it been a smaller firm responsible for compromising the data of 20,000 US companies in March, the PR fall-out would have likely doomed it.

Microsoft, of course, does not hold a monopoly – at least anymore – in all areas of IT. For almost all of its products, we can cite successful and, at times, more popular alternatives: Teams has a big rival in Slack; Spike is a brilliant Outlook alternative for those looking for something different and refreshing from email; Azure must contend with AWS and the Google Cloud Platform. But it is Microsoft’s ubiquitousness through all strata of the digital world that arguably makes it so open to attacks.

And perhaps that’s the main lesson to be learned so far from the March 2021 attacks – sadly, they will happen again to Microsoft. It’s not the company’s fault, per se; it’s simply a fact that Microsoft is so intertwined incorporate (and personal) life that there is an inevitability of its exposure to threats.

Politico wonders whether Washington will act

After the June 2021 exposure mentioned above, the US media organization Politico asked the following question: “Microsoft is back in the spotlight after disclosing its third significant cyber incident since December. Can the company (yet again) avoid scrutiny?”

The article talks about the company escaping (relatively speaking) criticism for how it manages security vulnerabilities, not just from customers but from the authorities. It ponders whether the latest developments will force lawmakers in Washington to come down hard on the company. Worryingly, the article also cites Microsoft’s “long-standing” relationship with Washington as possibly warding off scrutiny.

The point of this piece is not to say that Microsoft is bad at securing its products, but the company has penetrated so much of the digital world that the consequences of mistakes are heightened, arguably more so than any other company in the world. The title posed the question, “what have we learned since the March 2021 attacks?” but it might be more pertinent to ask what Microsoft has learned? And as suggested by Politico, the answer might be – nothing at all.