The Federal Trade Commission (FTC) plans to review whether Microsoft violated a consent agreement with the agency over the privacy of its Passport online password system, following the revelation of a flaw that could have compromised millions of consumers’ private data.
Microsoft on Thursday said it had fixed the problem, in which a system designed to help users who lost their e-mail passwords could be used by an attacker to gain control of an account. Passport accounts often store vital personal data, including passwords and sometimes credit card data, and have been a centerpiece of Microsoft’s Web services initiative.
But Passport also has been the focus of controversy for some time. Last August, Microsoft settled FTC charges alleging that Passport did not effectively protect personal data.
Promises of Security
At that time, FTC Chairman Timothy Muris said security was necessary for programs like Passport. “Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It’s not only good business, it’s the law. Even absent known security breaches, we will not wait to act,” he noted.
FTC spokesperson Cathy MacFarlane told the E-Commerce Times that the agency is constantly reviewing agreements like the one with Microsoft to ensure compliance. The agreement gives the agency the right to fine Microsoft US$11,000 for each confirmed violation and requires the software company to “implement and maintain a comprehensive information security program.”
“These agreements are monitored regularly,” MacFarlane said. “It doesn’t require an incident.”
Although potential financial losses would be unlikely to dent Microsoft’s cash-heavy wallet, public relations damage as a result of the revelation could be far more worrisome to the software giant.
The Passport fiasco came just days after Microsoft used a New Orleans, Louisiana, conference for hardware makers to tout its emerging security strategy, which aims to combines hardware and software to make personal computers more safe and secure.
It also comes as Microsoft tries to use its Trustworthy Computing initiative to wipe clean its sullied reputation for security, which some analysts say has been gained unfairly in some cases.
“They didn’t need this right now,” Forrester analyst Rob Enderle told the E-Commerce Times. “It undermines the progress they’re telling customers and partners they’ve been making.”
The flaw became publicly known Wednesday when a Pakistani researcher posted news of it to a popular vulnerability e-mail discussion list, claiming he was doing so after 10 e-mails to Microsoft went unanswered.
Microsoft said it fixed the problem within hours by shutting down the e-mail password change option. “Microsoft takes all reported incidents very seriously, and Microsoft teams began investigating the report of this issue and working to protect users immediately,” the company said in a note on its Web site.
Microsoft could not be reached immediately for comment.
Some Passport users will find their accounts frozen as a result of the flaw’s fix, the company said, requiring them to reset their passwords using a secure Web link.