A scathing report issued by a Biden administration-appointed review board on Tuesday revealed a series of errors by Microsoft that allowed state-backed Chinese cyber operators to breach the email accounts of senior U.S. officials, including Commerce Secretary Gina Raimondo. The Cyber Safety Review Board, created in 2021, criticized Microsoft's corporate security practices, culture, and transparency in handling the targeted breach, which affected multiple U.S. agencies dealing with China.

The panel described Microsoft's security culture as inadequate and in need of a complete overhaul, considering the company's critical role in the global technology ecosystem. It stated that the intrusion, discovered in June by the State Department and dating back to May, was preventable and should never have occurred due to a cascade of avoidable errors. Shockingly, Microsoft still does not know how the hackers gained access.

The report detailed how state-backed Chinese hackers breached the Microsoft Exchange Online email of 22 organizations and more than 500 individuals globally, including the U.S. ambassador to China and several foreign government entities. The panel accused Microsoft of making inaccurate public statements about the incident and expressed concern about a separate hack attributed to state-backed Russian hackers.

In response to the report, Microsoft acknowledged the need for enhanced security measures and pledged to strengthen its systems against cyber threats. The company stated that recent events have highlighted the necessity of adopting a new culture of engineering security within its networks and has mobilized its engineering teams to improve processes and enforce security benchmarks.

The board's recommendations included urging Microsoft to halt the addition of features to its cloud computing environment until substantial security improvements are made. It also called on Microsoft's CEO and board to implement rapid cultural change, publicly share a plan for security-focused reforms, and enforce rigorous risk management practices across the company and its products.

Overall, the report highlighted the urgent need for Microsoft to address its security shortcomings and prioritize the protection of essential services that support national security, the economy, and public health and safety.