Following a legal intervention by Germany’s Federal Office for Information Security (BSI), Microsoft has released detailed information on its encryption methods to secure customer data. The company published a white paper outlining the implementation of double key encryption across its platform, including Microsoft 365 and Azure. This disclosure comes after BSI invoked a clause in the Federal Office for Information Security Act, requiring IT companies to provide necessary security information upon request, especially in light of a 2023 hack involving Azure Active Directory tokens.
The 2023 incident, attributed to a Chinese threat actor known as Storm-0558 or Volt Typhoon, targeted U.S. government networks, prompting BSI to scrutinize Microsoft’s security measures. Despite reports of legal action, both Microsoft and BSI confirmed no lawsuit was filed, highlighting ongoing cooperation between the company and the agency to address security concerns. BSI emphasized the importance of Microsoft users in Germany utilizing the correct encryption services to protect customer data.
Microsoft has faced increased criticism over recent security failures, including a May incident where Russian hackers exploited a zero-day vulnerability in Microsoft Outlook. This led to a closed-door meeting with German lawmakers to discuss the company’s security protocols. Additionally, Microsoft President Brad Smith admitted to significant security lapses during a U.S. congressional hearing, further intensifying scrutiny from German authorities.
Dennis-Kenji Kipker, an IT security law professor, noted that the information provided by Microsoft has been inadequate, suggesting serious security issues. He criticized the company’s long-standing reliance on “security through obscurity,” which he argues is no longer effective. This increased political interest and scrutiny underscore the urgent need for Microsoft to enhance its transparency and security measures to regain trust and ensure robust data protection.
