Regardless of how few Passport users were actually affected by the flaw, this latest security bug was almost too easy for would-be hackers to exploit. Armed with only an email address, it was possible to gain access to a Passport user's name, address, and credit card information by entering only a specific web address.
Security holes are nothing new for Microsoft or even other software and operating system vendors, so why could a fine result this time around? Because Microsoft may have overstated the security of its Passport service:
Under a settlement last summer, the government accused Microsoft of deceptive claims about Passport's security. In response, the company pledged to take reasonable safeguards to protect those accounts, submit to audits every two years for the next 20 years or risk fines up to $11,000 per violation.So far, it looks like the absence of reasonable safeguards is what let this massive Passport security hole slip through the cracks, exposing Microsoft to a potentially huge fine. Though the FTC has apparently never fined anyone more than $4.05 million, Microsoft may technically be liable for a maximum fine of up to $2.2 trillion. It seems incredibly unlikely that even a sizeable fraction of such a stiff monetary penalty will ever be imposed, but the threat alone could be enough to light a fire under the Trustworthy Computing initiative.