Microsoft is joining Facebook, Google and Yahoo on the list of companies that notify users when they’ve been targeted by state-sponsored hackers, inspired in part by charges that it failed to notify more than 1,000 victims in the past.
“We already notify users if we believe their accounts have been targeted or compromised by a third party, and we provide guidance on measures users can take to keep their accounts secure,” the company said in a blog post on Wednesday. “We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be ‘state-sponsored’ because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others.”
The Chinese government successfully hacked more than 1,000 Microsoft Hotmail accounts in 2011, according to a Thursday report by Reuters, but Microsoft chose not to notify them of the finding. The attacks were targeted toward leaders of China’s Tibetan and Uyghur communities, minority groups oppressed by the country’s Communist Party.
Instead, the company forced those users to reset their passwords without explanation. “Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset,” the company said in a statement.
“We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were able to identify the source of the attacks, which did not come from any single country,” the statement added. “We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks.”
Cyberattacks are frequently routed through devices in more than one country, so the assertion that multiple points of origin existed leaves room for interpretation. However, it is likely that the hackers were able to retain access to many of the devices in spite of password resets, which means that some of the victims may still be at risk from the Chinese government.
One victim identified by Reuters was Peter Hickman, a former American diplomatic officer, who used his Hotmail account on computers in Washington, D.C.’s National Press Club to correspond with the Tibetan government in exile, and with the World Uyghur Congress.
Such activity could have allowed the attackers access to systems in the organization, which are used by news outlets globally and a parade of dignitaries who speak at its events.
However, Microsoft assured users its policy would be different going forward.
“The evidence we collect in any active investigation may be sensitive, so we do not plan on providing detailed or specific information about the attackers or their methods,” the company’s statement added. “But when the evidence reasonably suggests the attacker is ‘state sponsored,’ we will say so.”
Related Story: http://www.washingtonexaminer.com/article/2579031
Microsoft is the third company this year to establish the policy, following Facebook in October and Yahoo this month. Google announced the policy in 2012. Twitter does not have a policy, but has nonetheless notified users when they have been targeted by foreign states.
