$2 trillion fine for Microsoft security snafu?
Quote:
Microsoft says Passport flaw exposed user data
May 08, 2003 7:09:00 PM ET
By Reed Stevenson
SEATTLE, May 8 (Reuters) - Microsoft Corp. said on Thursday a security breach in its Passport online identity service had exposed personal information, e-mail accounts and registered credit card information for an undisclosed number of users. The world's largest software maker said it had already fixed the flaw, which affected potentially all of its active 200 million Passport accounts.
The disclosure of the security loophole and the breach comes as Microsoft pushes to make its software more secure, in part to head off fines from regulators and the loss of important government business.
Adam Sohn, a Microsoft product manager for Web-based services, said that Microsoft (MSFT) became aware of the problem after receiving an e-mail posting late Wednesday and moved to block the flaw immediately.
Muhammad Faisal Rauf Danka, a computer consultant in Pakistan, discovered the flaw that let hackers hijack a Passport account by typing in a specific Web address containing "emailpwdreset" to reset an account holder's password, the company said.
The feature was originally meant to allow users to regain access to their account if they had forgotten the password.
Passport, which Microsoft launched in 2001 to make it easier for users to store their information in a central location, is used by a number of other Web sites to make it easier for users to register or shop.
Microsoft launched a company-wide campaign last year to improve the reliability and security of its software, which runs on nearly all of the world's personal computers.
"We're working very hard on all fronts to ensure that we learn what we need to learn from this," Microsoft's Sohn said.
The Fair Trade Commission and Microsoft reached a settlement last year over the software maker's claims over the security features of Passport, which included a fine for future violations of up to $11,000 for each incident.
"Any investigation is non-public, however we do have an order against Microsoft and we routinely look into compliance with the settlement," said Jessica Rich, an official in the FTC Bureau of Consumer Protection.
Since the security breach applied to all of the Passport accounts, Microsoft could potentially face a massive fine of over $2.2 trillion, although regulators would likely look at a range of considerations in setting any fine.
The actual number of Passport accounts that were compromised through this breach was "several orders of magnitude less" than the 200 million Passport users, Microsoft said. The company declined to specify the number of accounts it believed had been compromised. REUTERS
© 2003 Reuters
Microsoft says Passport flaw exposed user data
May 08, 2003 7:09:00 PM ET
By Reed Stevenson
SEATTLE, May 8 (Reuters) - Microsoft Corp. said on Thursday a security breach in its Passport online identity service had exposed personal information, e-mail accounts and registered credit card information for an undisclosed number of users. The world's largest software maker said it had already fixed the flaw, which affected potentially all of its active 200 million Passport accounts.
The disclosure of the security loophole and the breach comes as Microsoft pushes to make its software more secure, in part to head off fines from regulators and the loss of important government business.
Adam Sohn, a Microsoft product manager for Web-based services, said that Microsoft (MSFT) became aware of the problem after receiving an e-mail posting late Wednesday and moved to block the flaw immediately.
Muhammad Faisal Rauf Danka, a computer consultant in Pakistan, discovered the flaw that let hackers hijack a Passport account by typing in a specific Web address containing "emailpwdreset" to reset an account holder's password, the company said.
The feature was originally meant to allow users to regain access to their account if they had forgotten the password.
Passport, which Microsoft launched in 2001 to make it easier for users to store their information in a central location, is used by a number of other Web sites to make it easier for users to register or shop.
Microsoft launched a company-wide campaign last year to improve the reliability and security of its software, which runs on nearly all of the world's personal computers.
"We're working very hard on all fronts to ensure that we learn what we need to learn from this," Microsoft's Sohn said.
The Fair Trade Commission and Microsoft reached a settlement last year over the software maker's claims over the security features of Passport, which included a fine for future violations of up to $11,000 for each incident.
"Any investigation is non-public, however we do have an order against Microsoft and we routinely look into compliance with the settlement," said Jessica Rich, an official in the FTC Bureau of Consumer Protection.
Since the security breach applied to all of the Passport accounts, Microsoft could potentially face a massive fine of over $2.2 trillion, although regulators would likely look at a range of considerations in setting any fine.
The actual number of Passport accounts that were compromised through this breach was "several orders of magnitude less" than the 200 million Passport users, Microsoft said. The company declined to specify the number of accounts it believed had been compromised. REUTERS
© 2003 Reuters
Comments