A government review board tasked with studying Microsoft’s Exchange breach last year has released its findings, blasting the company’s security culture.

Microsoft suffered a massive Exchange breach last year, impacting organizations, as well as government officials. The breach was the last straw for many, with Senator Ron Wyden calling on the DOJ to “hold Microsoft responsible for its Negligent cybersecurity practices,” and competitors calling out the company’s security as “grossly irresponsible.” In addition, the Department of Homeland Security’s Cyber Safety Review Board initiated a review of Microsoft’s practices.

The Cyber Safety Review Board has released its findings, and it’s a damning indictment of Microsoft’s security:

The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.

The Board found there was a “cascade of Microsoft’s avoidable errors” and blasted the company for not realizing its signing keys, “its cryptographic crown jewels,” were compromised until customers alerted it. The Board also took Microsoft to task for not communicating promptly about the matter, for not detecting that an employee’s laptop was compromised, and for not implementing common security measures that other cloud providers do.

Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.

To drive the rapid cultural change that is needed with Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products. The Board recommends that Microsoft’s CEO hold senior officers accountable for delivery against this plan.

The full report can be found here. In the meantime, Microsoft clearly has its work cut out for it to reinvent itself and deliver the security its customers deserve.

One thing is certain: With the release of this report Microsoft has been put on notice. If the company cannot overhaul its security culture, it may find itself in the crosshairs of the very government officials that rely on its services.