The company refused to fix flaw years before the SolarWinds hack.

ProPublica ProPublica <[link removed]> Donate <[link removed]>

The Big Story
Thu. Jun 13, 2024

In today’s newsletter, a former Microsoft employee says the software giant dismissed his concerns about a critical software flaw <[link removed]> because it feared losing government business, updated financial disclosures from Supreme Court justices <[link removed]> and more from our newsroom.

<[link removed]>

Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says <[link removed]> by Renee Dudley, with research by Doris Burke

VIEW STORY <[link removed]>

Reporter Renee Dudley <[link removed]> answers our questions about today’s investigation <[link removed]>.

Microsoft President Brad Smith told Congress in 2021 that “there was no vulnerability in any Microsoft product or service that was exploited” in the SolarWinds hack. You spoke to a former employee named Andrew Harris. What does he say happened?

Harris said that he discovered a security weakness in a Microsoft product that many customers, including the U.S. government, used to log onto their devices. The flaw could allow attackers to masquerade as legitimate employees and rummage through victims’ “crown jewels” — national security secrets, corporate intellectual property, embarrassing personal emails — all without tripping alarms.

Beginning in 2017, Harris said that he pleaded with the company to address the issue. But at every turn, Microsoft dismissed his warnings, telling him that addressing the flaw would undermine its business goals. Frustrated, he left the company in August 2020. Four months later, the sprawling SolarWinds hack was discovered. In the attack, Russian spies exploited the very flaw Harris had warned about when they breached government agencies including the National Institutes of Health and the National Nuclear Security Administration.

What is Harris like? What has he told you about why he came forward?

Harris is someone who was drawn to computers at an early age. While still in college, he began working for the Department of Defense, where he stayed for almost seven years. Because of that background, he said he felt a commitment to helping protect national security. So after discovering the flaw in the Microsoft product, he became obsessed with the potential impact on federal government customers who relied on it. He was frustrated when the company refused to act on his warnings, saying, “They’re telling me it’s not ‘customer first,’ it’s actually ‘business first.’”

Microsoft declined to make Smith and other top officials available for interviews for this story, but it did not dispute ProPublica’s findings. Instead, the company issued a statement <[link removed]> in response to my questions, saying, in part, that its assessment of the issue Harris raised “received multiple reviews and was aligned with the industry consensus.”

Read the investigation <[link removed]>

More From Our Newsroom

Bill to Fund Stillbirth Prevention and Research Passes Congress <[link removed]> The bill expands the use of existing federal money to be used to fight stillbirths. Lawmakers cited ProPublica’s reporting on the issue as key to adding urgency and building support for the measure. by Duaa Eldeib <[link removed]>

ProPublica Updates “Supreme Connections” Database With New Justice Disclosures <[link removed]> The update includes data from eight financial disclosures made public last Friday that cover 2023, as well as information from some older filings. by Ken Schwencke <[link removed]>

Reader Tips Propelled Our Supreme Court Reporting. Now Your Info Could Power Our 2024 Election Coverage. <[link removed]> An email from a reader helped a team of ProPublica reporters uncover secret tuition payments Harlan Crow made for a family member of Clarence Thomas. Now we’re looking for tips on the election, and you can help. by Justin Elliott <[link removed]>

Former Foster Youth Are Eligible for Federal Housing Aid. Georgia Isn’t Helping Them Get It. <[link removed]> A 5-year-old program to help young people aging out of foster care offers millions of dollars in rent support. Some states have tapped hundreds of vouchers. Georgia has received just eight. by Stephannie Stokes, WABE <[link removed]>

Justice Clarence Thomas Acknowledges He Should Have Disclosed Free Trips From Billionaire Donor <[link removed]> The trips include vacations in Indonesia and at the exclusive, men’s-only Bohemian Grove retreat, which were first reported by ProPublica last year. by Joshua Kaplan, Justin Elliott and Alex Mierjeski <[link removed]>

A Bottled Water Company in Michigan Is Still Extracting Millions of Gallons of Water for Free <[link removed]> Gov. Gretchen Whitmer had pledged to crack down on bottled water companies taking water at the same time Flint, Michigan, faced a water crisis. Six years later and in her second term, little has changed. by Anna Clark, photography by Sarahbeth Maney <[link removed]>

His Parents Said They Would Homeschool Him. Lax State Oversight Kept His Abuse Hidden. <[link removed]> Illinois has virtually no regulations on homeschooling, allowing parents to pull vulnerable children from public schools and then not provide any education for them. Officials call them “no schoolers.” by Molly Parker and Beth Hundsdorfer, Capitol News Illinois <[link removed]>

What Donald Trump’s Criminal Trial May Indicate About a Second Trump Term <[link removed]> The picture that emerged in the New York courtroom was of a person on top of details, aware of what his team is doing. Along with outside events, it suggests Trump will be even less constricted by rules and norms than he was before. by Andrea Bernstein <[link removed]>

An Illinois School District’s Reliance on Police to Ticket Students Is Discriminatory, Civil Rights Complaint Says <[link removed]> Two civil rights groups are asking the U.S. Department of Education to force Rockford Public Schools, the third-largest district in Illinois, to stop discriminatory discipline involving police. by Jennifer Smith Richards and Jodi S. Cohen <[link removed]>

What Idaho’s Republican Primary Tells Us About America’s Culture Wars <[link removed]> The heavily Republican state booted 15 incumbents across the party’s ideological spectrum. While the election led to net gains for hard-line members of the right, it also underscores how divided Idaho’s party remains. by Audrey Dutton <[link removed]>

Multiple Trump Witnesses Have Received Significant Financial Benefits From His Businesses, Campaign <[link removed]> Witnesses in the various criminal cases against the former president have gotten pay raises, new jobs and more. If any benefits were intended to influence testimony, that could be a crime. by Robert Faturechi, Justin Elliott and Alex Mierjeski <[link removed]>

How satisfied are you with today’s newsletter?

1 Not satisfied 2 3 4 5 Very satisfied

Find us on Facebook <[link removed]> Follow us on Twitter <[link removed]> Follow us on Instagram <[link removed]> Watch us on Youtube <[link removed]> Donate <[link removed]>

Get the ProPublica mobile app:
Download on the App Store <[link removed]> Get it on Google Play <[link removed]>
Was this email forwarded to you from a friend? Subscribe. <[link removed]> Want less email? Click here if you only want to receive one ProPublica newsletter each week. This email was sent to [email protected]. Update your email preferences or unsubscribe <[link removed]> to stop receiving this newsletter. Email not displaying correctly? View it in your browser. <[link removed]> ProPublica • 155 Ave of the Americas, 13th Floor • New York, NY 10013 <a href="[link removed]><img src="[link removed]" alt="" border="0" /></a>