Unauthorized Access: A Deep Dive into the Treasury Department Breach. Microsoft's VPN Shutdown

[00:00:02] It's Wednesday, February 5th, 2025, and I'm Dave Sobel. Four things to know today. Cybersecurity 101. If even the government can't control access, what about your business? DeepSeq leaks a million chat records, and the Pentagon wants nothing to do with it. Microsoft pulls the plug on Defender VPN. Was anyone using it? And... FedRAMP ShakeUp! No special treatment for AI as the Trump administration ends a key framework.

[00:00:30] This is the Business of Tech. A security incident has been identified within the U.S. Treasury Department's financial infrastructure, where an actor has gained unauthorized administrator-level access to Payment Automation Manager, or PAM, and the Secure Payment System, SPS. These systems, housed within a classified mainframe, process over $5 trillion in federal payments annually, representing more than 20% of the U.S. economy.

[00:00:58] This level of access raises serious concerns regarding financial system integrity as it enables unauthorized modifications to federal payment workflows and security configurations. The breach was first identified through external reporting and has been corroborated by multiple sources. The threat actor, operating from outside the Treasury Department, has been linked to a private sector entity with extensive financial and technological influence. Six individuals

[00:01:26] associated with this entity have been granted elevated privileges within Treasury's core payment processing infrastructure, effectively allowing for unrestricted access to sensitive financial operations, the ability to alter payment processing rules and authorizations, and potential exfiltration of financial transaction data. This access was reportedly acquired without standard government vetting or

[00:01:50] legal authorization. Security experts warned that this unauthorized presence within the financial system could enable external influence over federal payment decisions and compromise the integrity of government funding mechanisms. The breach has prompted significant concern among lawmakers as unauthorized modifications to Treasury systems could impact critical funding flows, including federal programs,

[00:02:13] benefits distributions, and government contracts. A group of impacted customers has filed a lawsuit alleging the department did not enforce access controls to the federal payment systems. The suit claims this access could jeopardize the privacy of millions of Americans by disclosing personal and financial information, specifically social security numbers. In a related breach event, individuals linked to the threat actors' organization

[00:02:39] reportedly gained unauthorized entry to NOAA, a federal scientific agency's headquarters accessing internal computer systems without proper authorization. Independent security analysts have flagged the potential compromise of classified environmental and infrastructure data as well as attempts to interfere with agency operations. External observers expect the actors may move on to other portions of the U.S. government.

[00:03:05] As you've probably guessed, this is Elon Musk's activities within the federal government. I have intentionally rewritten this into the style of a cyber breach. Now, this is not a political podcast, and I'm not reporting on politics. I've included this for this Why Do We Care reason. This is the tone and sound of typical cybersecurity reporting, and from an access control and legality perspective is accurate. The individuals accessing this data do not have the legally required

[00:03:34] security clearances to access this information and are bringing in external hardware and software in the form of shadow IT to existing agencies. With many managed services providers focused on the idea of cybersecurity, which includes proper access control, management, audits, and the like, understand that cybersecurity is not just about hackers or external threats, but also about governance, compliance, and access control, even when the individuals involved are well-known figures with significant influence.

[00:04:04] Cybersecurity isn't just about technical defenses. It's about who has access, how they got it, and whether that access is legitimate under established protocols. If a federal agency can face such fundamental access control failures, what does that imply for businesses with far fewer resources? Many cybersecurity sales pitches revolve around external attackers phishing and ransomware, but this case highlights that insider threats and unauthorized

[00:04:33] privileged access are just as critical. When discussing security with customers, it's important to emphasize governance, role-based access control, and continuous monitoring. Businesses often assess security based on intent rather than strict access control policies. If they trust the individuals involved, they may not view unauthorized access as a risk until it becomes a problem. Convincing decision makers to treat all

[00:05:01] unauthorized access as a security failure, regardless of intent, remains a challenge. The core issue here is unauthorized access to highly sensitive systems without proper clearance. For providers, this reinforces the need to promote zero trust principles, robust identity and access management, and strict auditing of privileged accounts. Customers need to understand that cybersecurity isn't just about stopping external

[00:05:25] attackers, but also about preventing improper internal access. The fact that this isn't being framed in typical cybersecurity terms is itself a red flag. Security risks exist regardless of who the actors are and need to be managed accordingly. Consider your stance on this issue through a cybersecurity framework. Particularly if you want customers to buy cybersecurity as important.

[00:05:53] With as many breaches and security concerns as I report in this show, it should be obvious that cybersecurity is not just about technology, but also the human expertise needed to interpret and respond to complex threats. Huntress is focused on elevating SMBs and MSPs around the world. Huntress has a suite of fully managed cybersecurity solutions powered by a 24 by 7 human-led SOC dedicated to continuous monitoring,

[00:06:21] expert investigation and rapid response. And the proof is the execution. Huntress is the number one rated EDR for SMBs on G2. Want to know more about the platform? Visit huntress.com slash MSP radio to learn more. I wanted to do some security follow-ups too for stories from this week. DeepSeq has exposed two unsecured

[00:06:47] databases containing over 1 million chat records, including sensitive user data and operational information. The databases were discovered by WizResearch during a security assessment and were publicly accessible without authentication. The exposed information included user queries, authentication keys and internal infrastructure details dating back to early January. Following this discovery, DeepSeq promptly addressed the issue, making the databases no longer public. The Pentagon is taking urgent measures to block DeepSeq after

[00:07:17] reports surfaced the Department of Defense employees connected their work computers to Chinese servers for at least two days. DeepSeq's terms of service indicate that user data is stored in China and governed by Chinese law, which requires cooperation with intelligence agencies. The U.S. Navy had already restricted access to DeepSeq due to security and ethical issues. And they aren't alone. Hundreds of companies, particularly those with government connections, have blocked the chatbot DeepSeq due to

[00:07:45] concerns over potential data leakage to the Chinese government. This information comes from interviews conducted by cybersecurity firms Armis and Netscope. Why do we care? DeepSeq's database exposure, over 1 million chat records, keys and infrastructure details, reinforces a pattern. AI providers are not securing user data properly. This is the same kind of misconfiguration issue that's plagued cloud services for years, but now it involves AI tools that businesses increasingly integrate into their workflows.

[00:08:15] DeepSeq's database exposure is serious, but U.S.-based AI companies have had their share of breaches too. OpenAI, Microsoft and Google have all faced security incidents related to AI models or cloud misconfigurations. The real takeaway is that all AI vendors need to be scrutinized, not just those from China. Database misconfigurations are a red flag. Organizations should demand transparency on how

[00:08:39] AI vendors protect user data. If an AI tool stores data in the jurisdiction with aggressive intelligence laws, that poses a potential business and compliance risk. This isn't just about one chatbot. It's a broader signal that AI security and data sovereignty are now frontline concerns in IT strategy. And some product stuff. Microsoft announced the discontinuation of its privacy protection

[00:09:05] virtual private network feature within the Microsoft Defender app, effective February 28th, 2025. Despite efforts to enhance the feature, including automatic detection of unsecured connections, the VPN has not gained significant traction in the U.S. market. After removing this feature, Microsoft will continue offering device protection and identity theft monitoring while advising Android users to delete the Defender VPN profile to maintain browsing capabilities.

[00:09:32] Let's Encrypt announced that it will end its expiration notification email service on June 4th, 2025. This decision comes after 10 years of sending these notifications, as more subscribers have implemented reliable automation for certificate renewal. Users wishing to continue receiving expiration notifications notifications can use third-party services such as Red Sift Certifications Lite, which offers free monitoring for up to 250 certificates. Despite the change,

[00:09:59] Lest Encrypt will offer users the option to sign up for other updates related to technical developments and organizational news. Cloudflare launched a new feature to enhance the verification of online images authenticity by adopting Adobe's content credentials system. This system embeds a digital metadata tag that tracks image ownership, posting history, and any alterations made, including those using generative artificial intelligence. Cloudflare's integration is available across its global network,

[00:10:28] which reportedly supports about 20% of the entire web. This initiative is part of the Content Authenticity Initiative, co-founded by Adobe. The aim is to empower artists and photographers to retain attribution for their work and help users distinguish authentic images from altered ones. Why do we care? These are all small shifts, but they point to larger trends. Privacy tools aren't always a priority, automation is replacing manual

[00:10:53] processes, and AI-driven content authentication is becoming a real issue. The Trump administration has eliminated the FedRAMP Emerging Technology Prioritization Framework designed to facilitate the integration of artificial intelligence into federal cloud services. This decision follows President Trump's rescission of the Biden administration's AI executive order. The framework aimed to streamline the prioritization process for cloud service providers, especially those dealing with emerging technologies.

[00:11:22] While the program had recently shifted to a rolling application format, it's no longer in effect, raising concerns about how AI companies will navigate the FedRAMP authorization process. The framework's removal comes when many AI firms like OpenAI and Anthropic seek partnerships with existing cloud providers to secure government contracts. The General Services Administration, which oversees FedRAMP, continues to emphasize the importance of a standardized security framework but has not

[00:11:50] clarified future directions for advancing AI services through the program. Why do we care? The US government is sending a signal that AI companies should not get extra scrutiny beyond conventional cybersecurity frameworks. With those frameworks potentially being de-emphasized by the government broadly, will cybersecurity become less important to businesses? It's a concern to consider with the messaging being

[00:12:13] presented. Are you ready to get your brand in front of the tech leaders shaping the future of managed services? Here at The Business of Tech, we offer flexible sponsorship opportunities to meet your needs, whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars. From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and

[00:12:40] vendors of all sizes looking to make an impact. Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs. Be a part of the conversation that matters to IT service providers worldwide. Join us at MSP Radio and amplify your message where it counts. Visit MSP Radio dot com slash engage today to explore all the ways we can help you grow.

[00:13:12] Thanks for listening. Today is National Chocolate Fondue Day. It's also National Shower with a Friend Day. Let's not mix those two. Nerdy O'Con will be held in Palm Springs, California from April 7th through 9th. Visit NerdyO'Con dot com to learn all about it. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:13:38] If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit Patreon dot com slash MSP Radio and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech.

[00:13:59] Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question at MSP Radio dot com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP Radio dot com slash engage.

[00:14:26] Once again, thanks for listening and I will talk to you again on our next episode. Part of the MSP Radio Network.