REDMOND, Wash., and CUPERTINO, Calif., Oct. 4, 1999 — Microsoft Corp. and TRUSTe officials today released findings from an independent report, commissioned by the two organizations, evaluating actions Microsoft implemented following the security issue that occurred Aug. 30 with the Microsoft ® Hotmail TM Web-based e-mail service. Based on the inquiry by a Big Five accounting firm, TRUSTe and Microsoft have confirmed that Microsoft effectively resolved the Hotmail security issue and that Microsoft is in compliance with the TRUSTe licensing agreement. Microsoft also has implemented several quality-control procedures to help prevent future incidents of this kind.
The independent accounting firm released the final report to Microsoft and TRUSTe after conducting interviews with the development, testing and operations staff at Hotmail; reviewing the solution at the code level; and testing scenarios used for access to Hotmail accounts. The report details activities conducted by the accounting firm in each of the following areas:
Obtaining and reviewing documentation that describes the nature, extent and cause of the problem that allowed users access to any valid Hotmail e-mail account.
Obtaining and reviewing documentation that describes the solutions Microsoft implemented to resolve the problem identified in procedure No. 1.
Interviewing the Microsoft personnel responsible for identifying the problem, and implementing and testing the solution.
Reviewing the source code to ascertain whether the solutions described in procedures 1–3 have been implemented.
Developing and conducting tests against the source code to ascertain whether the problems described in procedure No. 1 are no longer evident.
“We realize a profound sense of responsibility to protect the privacy and security of consumers in the online world, and as a result, we moved swiftly to resolve the issue with Hotmail and ensure that our customers were aware of its resolution,”
said Richard Purcell, data practices director at Microsoft.
“We subsequently agreed to hire an independent third party to conduct a review of the incident and our solutions to demonstrate that Hotmail maintains the very high standards we place on consumer privacy and security. Unfortunately, malicious hackers target all technology platforms, but we believe this effort will help ensure that we have the right security controls in place to protect customers of Hotmail.”
“The significance of this report is clear: Our oversight and automated dispute resolution mechanism is effective, and moreover, the self-governance process works,”
said Bob Lewin, executive director of TRUSTe.
“We were able to satisfactorily resolve a consumer complaint, which was originally posted on TRUSTe’s Watchdog page. The integrity of the outside review allowed us to validate Microsoft’s resolution of the Hotmail security issue. While not every incident requires an independent review, I am confident that this serves as a model for effective oversight with the TRUSTe program. Finally, this action underscores the proven credibility and robustness of TRUSTe’s privacy seal program on the Internet.”