Apscitu Mail masthead.
Apscitu Mail motto.
Expert Email News tab.
Expert Email News Article tab.
Credentials tab.
About Apscitu Mail tab.
Email Technology tab.
Apscitu tab.
Apscitu Law tab.
Secure Contact tab.
RSS tab.
Email Subscribe tab.
Microsoft logo, Microsoft Outlook logo, Microsoft CEO Satya Nadella, China/Russia/India flags, hacker, 16 federal government department and agency seals, HACKED.

The Doomsday Microsoft Government Email Data Breach



By Duane Thresher, Ph.D.          February 22, 2021

As Apscitu has been warning for years, since its inception, particularly through Stop IT Incompetence, the IT Incompetents Hall Of Shame (Government, Business, and Media), and Apscitu Mail, there has been a doomsday data breach of the federal government's email and (then) networks, and this was due to government IT incompetence, not the supposedly sophisticated foreign government hackers. This doomsday data breach was finally admitted to by the federal government starting in December 2020 and continuing, but may have been going on undetected for many months or even years and may still be going on undetected.

Those who have even a clue about this data breach, which doesn't include the media, are calling it the most massive — and not just yet another most massive — (thus worst) data breach in history, whose vast effects will be the major national security risk for many years into the future, if the United States survives it at all; hence "doomsday data breach". Numerous national security critical federal government departments and agencies have been hacked, including but not limited to: the Department of Defense (DOD), which includes the National Security Agency (NSA); the Department of Homeland Security (DHS), which includes Customs and Border Protection (CBP), the Transportation Security Administration (TSA), the Federal Emergency Management Agency (FEMA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Secret Service; the Department of Energy (DOE), which is responsible for nuclear safety; the Department of State, which is responsible for dealing with foreign governments; the Department of the Treasury, which is responsible for the currency and includes the Internal Revenue Service (IRS); the Department of Transportation (DOT), which includes the Federal Aviation Administration (FAA); the Department of Agriculture (USDA), which includes the Food Safety and Inspection Service (FSIS); the Department of Health and Human Services (HHS), which includes the Centers for Disease Control (CDC) and the Food and Drug Administration (FDA); the Department of Justice (DOJ), which includes the Federal Bureau of Investigation (FBI); and the entire judicial branch of the federal government, which includes the Supreme Court.

The doomsday data breach was caused by IT incompetent foreign-run Microsoft, which has quietly become inherent in government IT, particularly via Microsoft's email, Outlook, in all its various guises.

If you've heard of this doomsday data breach at all, given the IT incompetence of the media, you've probably heard it referred to as the SolarWinds data breach. SolarWinds is an IT incompetent business that makes Orion, which is network monitoring software that is widely used in government, including the NSA. Network monitoring software is the primary way to detect hackers — for example, by looking for large downloads of stolen data — so if the network monitoring software itself is hacked then the hackers can't be detected. Moreover, since network monitoring software has to have access to the entire network being monitored, it can be used to hack into that entire network. In short, a hacker's dream.

The hackers hacked SolarWinds's Orion network monitoring software by hacking the software's build system, i.e. how the software and its updates are made (compiling, etc.) before being delivered to customers. To make matters worse, SolarWinds advised customers — much of the federal government — to turn off their antivirus software before installing their Orion software. Again, a hacker's dream.

The hackers hacked the build system of SolarWinds's Orion network monitoring software by hacking SolarWinds's Microsoft email — for example, many services use email login authentication as their login authentication — just like they did to many departments and agencies of the federal government, who also use Microsoft email.

So for many months and possibly years, hackers had, and may still have, undetected access to both the email and networks of the national security critical departments and agencies of the federal government, including the NSA (whether they admit it or not). From the hacked department and agency list given in the introduction, it should be clear why this was the doomsday data breach.

Microsoft email is a notoriously insecure email client and email service, both now named "Outlook" in some form. The Microsoft email client is just named Outlook and has been included in Microsoft Office (97, 2000, XP, 2003, 2007, 2010, 2013, 2016, 2019) since the 1990's — given its increasing notoriety, more quietly included in later years — right up to Microsoft Office 365, today's web app version of Office. Outlook.com is the free webmail version of Microsoft's email service, which started as the notorious Hotmail (similar in notoriety to Verizon's Yahoo! Mail). "Outlook on the web" is the business webmail version of this and part of Office 365.

In addition to Outlook email being notoriously insecure to hackers, Microsoft made an extensive and vigorous effort to provide built-in easy access to Outlook email to the NSA — and thus the CIA, FBI, etc. — as proven by documents stolen from the NSA and CIA when they were hacked by Edward Snowden (in what was then called the worst data breach in history). While Microsoft advertised to the public that it was going to use encryption in Outlook, to counter Outlook's terrible security reputation, Microsoft was secretly conspiring with the NSA and FBI to make sure they could get around this encryption. And if they can get around this encryption, other hackers can get around this encryption.

(As it says in the Legal Notes section of the About Apscitu Law page on the Apscitu Law website: "Apscitu Mail does not and will not allow built-in easy access by the NSA (and so the FBI, CIA, etc.) to Apscitu Mail email server computers. All demands for access to Apscitu Mail email server computers will be fought in court. A precedent case for this is long overdue and I am willing to do this.")

I have experience — bad — with most of the versions of Outlook. Most recently, my alum.mit.edu email account is now an Office 365 "Outlook on the web" account; I access its webmail at outlook.office.com. This account was hacked by a leftist lawyer, Jason Baletsa, at MIT and is the subject of a lawsuit and a national security investigation, since MIT is a major defense contractor. (You can use this account for authenticating me but don't send sensitive information through it; see Apscitu's Secure Contact page.)

By doing a Domain Name System (DNS) lookup and examining the name of the associated email server, it is sometimes possible to tell from the domain of a government email address (e.g. @dhs.gov) whether it is using Microsoft Outlook email. I research government email extensively and know from this that the following federal government departments and agencies use Microsoft Outlook email: the Department of Homeland Security (@dhs.gov), the Federal Election Commission (@fec.gov), the United States Postal Service (@usps.gov), the Department of Transportation (@dot.gov), the Department of Agriculture (@usda.gov), the Department of Education (@ed.gov), and the Department of Housing and Urban Development (@hud.gov). Of these, those not listed in the introduction and/or not having admitted to having been hacked, may indeed have been hacked as well.

(Other federal government departments and agencies use Google and Proofpoint email, which are their own major security risks; see Google: Invasion of the Email Snatchers and Proofpoint Investigation: Fraud and Government Email Tampering.)

Unfortunately, it's not always possible to tell from the domain of a government email address whether it is using Microsoft Outlook email, and government will often not even give out the email addresses they really use; see FOIA: That's Some Exemption, That Exemption 6. This is the case for the Department of the Treasury, which in the doomsday data breach was one of the first federal government departments to admit it had Microsoft Outlook email, had been hacked, and had had its high-level emails secretly read by hackers for many months or even years.

It's obvious from Stop IT Incompetence and the IT Incompetents Hall Of Shame that the government is too IT incompetent to do its own email, but it's even too IT incompetent to outsource its email; see the IT Hiring articles in Principles of IT Incompetence. With just a little knowledge of IT and Microsoft, the federal government would have known not to outsource their email to them.

Like Dell, Microsoft long ago realized it was more profitable and far easier to sell to government than individuals, because individuals are careful about how much they pay and complain about poor quality — i.e. incompetence — unlike government. And Microsoft has had longer than other companies, like Dell or Google, to insinuate itself in government, and learn to keep quiet about it. Once inherent in government, Microsoft was able to keep a low profile even when it was also implicated, as described above, in what the NSA was doing in collusion with high-profile companies like Google and Facebook.

Microsoft software — e.g. Windows, including its notorious web browser Internet Explorer (now renamed Edge), and Office, including Outlook email — has always been a security nightmare. Microsoft claims it only seems this way because they are the largest software company so are targeted by hackers the most, but hackers would stop targeting them if it was at all difficult to succeed. No, as strange as it may seem on the face of it, Microsoft is IT incompetent; Microsoft is successful for non-IT reasons, like unfair competition, working for the government, etc. If you are IT knowledgeable and have a lot of experience with Microsoft software, as I do, you will know Microsoft is IT incompetent all too painfully well.

Bill Gates , a founder and former CEO of Microsoft and no IT expert himself — he was a pre-law major in college and dropped out after two years — loves India (giving away a lot of his taxpayer-provided wealth to it) and hired a lot of cheap IT incompetent programmers from there, skirting U.S. immigration laws (e.g. H-1B visas) to do so, as well as outsourcing a lot of programming to India, home of cheap IT incompetent programmers. See No IT Education: Foreigners and IT Hiring: Foreigners in Principles of IT Incompetence.

Finally, Bill Gates made the CEO of Microsoft a cheap IT incompetent programmer from India.

Satya Nadella has been CEO of Microsoft since 2014. He was born, raised, and educated in India and did not come to the U.S. until he was 22. Nadella got his bachelor's in electrical engineering from the Manipal Institute of Technology in India. He then came to the U.S. and got a master's in computer science from the University of Wisconsin – Milwaukee.

As I say a lot — e.g. The Most Important IT Credential: An IT Education in Principles of IT Incompetence — an IT expert should ideally have degrees in both electrical engineering and computer science ... from good universities.

The Manipal Institute of Technology is way way down at #1056 in Best Global Universities according to U.S. News, the premier college ranker. Satya Nadella probably deceitfully put on his Microsoft application that he was from "MIT", since this is an abbreviation for Manipal Institute of Technology, but of course to everyone else, particularly Microsoft, "MIT" means the top-rated Massachusetts Institute of Technology, where I got my degree in Electrical Engineering and Computer Science.

The University of Wisconsin – Milwaukee is in the bottom 25% of Best National Universities according to U.S. News. It's essentially just a glorified community college (see No IT Education: For-Profit and Community Colleges in Principles of IT Incompetence); for example, it accepts over 95% of those who apply, basically anyone.

Of course, with its CEO now being a cheap IT incompetent programmer from India, Microsoft hires even more cheap IT incompetent programmers from India.

Foreigners doing IT for the federal government is an obvious inherent national security risk; see IT Hiring: Foreigners in Principles of IT Incompetence and all the foreigners in the IT Incompetents Hall Of Shame. In fact, it is clear that the doomsday data breach was done by foreign hackers, although to avoid detection their command-and-control hacking servers were domestic cloud computers provided by ... wait for it ... Microsoft (as well as GoDaddy and Amazon). Satya Nadella was head (executive vice president) of Microsoft's cloud computing division before he became CEO of Microsoft.

As part of their effort to hide their IT incompetence, government is calling, like they always deceitfully do, the doomsday data breach a "sophisticated" hacking — see Data Breaches on Stop IT Incompetence — done, as supposedly only such a "sophisticated" hacking could be, by a foreign government. Whether Russia or China is blamed depends not on any real evidence but only on the particular government official and what country he/she has business ties with (the other country is then blamed). Even if the hackers are Russia or China, the U.S. tries to do the same to them and can only complain that it is too IT incompetent to defend itself.

But given the Microsoft connection described and other evidence, the hackers may have been from India. One of the most effective hacking methods is "spear phishing", which is emailing particular important people and tricking them into giving up passwords by using their personal information to lull them into believing the hackers are someone they know, like their system administrators. India already knows the names, addresses, telephone numbers, credit card info, purchase histories, etc. — and possibly much more, like spouses, children, jobs, incomes, Social Security numbers, credit ratings, medical histories, etc. — of many Americans, including those in government, from being customer service for many American businesses (and other organizations), particularly Amazon.