Microsoft under fire for Recall CoPilot+, cyberattacks

In partnership with

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]

Microsoft delays adding Recall to Copilot+

After a disastrous public reaction to Recall, Microsoft’s time-bending, desktop-recording generative AI capability, the company has temporarily shelved it except for the Windows Insider release track.

According to a blog post by Windows and Devices VP Pavan Davuluri, Recall has been temporarily removed from its recently unveiled Copilot+ PC program. The new program requires computers to have specific hardware components, notably a neural processing unit (NPU) capable of at least 40 trillion operations per second (TOPS).

Qualcomm’s Snapdragon X Plus and X Elite Arm chips are the first qualifying Copilot+ PCs that ship later this year.

Microsoft states that the value of Recall is to “help you easily find and remember things you’ve seen using natural language,” according to Microsoft, using AI and “photographic memory.”

Privacy and security advocates immediately sounded the alarm.

Third-party scripts can bypass the requirements, and an ethical hacker has already demonstrated how easy it is to bypass any Microsoft-designed Recall safeguards.

Alarmingly, all screenshots of users’ desktops are stored locally on the device unencrypted. Microsoft previously claimed that attackers would require physical access to the device to exploit any safeguards.

Microsoft now states that it will add additional encryption and authentication protections, allowing users to disable Recall entirely.

The debut of Recall is oddly timed, as it is mere weeks after CEO Satya Nadella directed the entire company to prioritize cybersecurity. Microsoft has also faced repeated nation-state hacks and calls from the U.S. Senate and Congress to be investigated after “a cascade of failures.”

Microsoft, in damage control mode, will prioritize cybersecurity over AI

In early May, Nadella sent a company-wide memo telling company executives and engineers to prioritize cybersecurity over profits, or AI.

“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” the memo from Nadella read.

“In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems,” he continued.

Microsoft President Brad Smith testified yesterday in Congress that "we acknowledge that we can and must do better.” He promised that “cybersecurity is more important even than the company’s work on artificial intelligence."

Smith added that Nadella, Microsoft CEO, will “personally serve as the senior executive with overall accountability for Microsoft’s security."

Microsoft’s culture shift to cybersecurity

Microsoft will now compensate employees for discovering cybersecurity vulnerabilities or raising security concerns.

Smith testified that to reinforce change, Microsoft will be “empowering and rewarding every employee to find security issues, report them," and "help fix them.”

Today’s privacy meme

OpenAI + Apple: What could go wrong?

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.