Microsoft Sued for $1.75M Over Email Bug

John Lister's picture

A lawyer is suing Microsoft for $1.75 million after being locked out of his email account. David M Schlachter says a bug meant he couldn't verify his identity, making the account useless.

According to Schlachter, the problem was with his paid Office 365 account. After using it for six years, he was locked out in May by a two-step verification check.

The check would send a verification code to his phone, either via a text message or an automated voice call. However, when Schlachter tried to choose one of these options and initiate the check, he'd simply see a message reading "Sorry, we're having trouble verifying your account. Please try again." (Source: theregister.com)

The problem was that verifying his account was exactly what he was trying to do, and thus he was trapped in a seemingly endless loop. He claims to have made repeated calls to customer support, in some cases waiting on hold for several hours. According to Schlachter this either ended with him being cut off, or with a support team member saying they were continuing to work on the problem.

Lost Business Prompts Lawsuit

Schlachter eventually lost patience and filed a lawsuit in which he notes the email is needed for a variety of professional uses including using court filing systems and communicating with clients. He argues that he may face ethics violation cases for failing to respond to messages.

He is seeking $750,000 in compensation for "loss of business, risk of business and ethical and professional licenses." He wants a further $1 million in punitive damages to punish Microsoft because it failed to carry out a simple action (restoring his email access) that would have resolved the issue quickly. (Source: regmedia.co.uk)

It could be an interesting case as the court would have to decide whether Microsoft is responsible for the lost business and then to what extent it should shoulder the resulting costs.

Liability May Be Limited

There's certainly an argument that Schlachter took a gamble in relying on the email for so much of his business. However, he argues that Microsoft is responsible because it actively marketed the service as suitable for business use.

The case could come down to the small print of any user agreement he signed up to. Commonly companies which provide a service used by businesses will disclaim or limit responsibility for any lost business and consequential costs from that service not working.

It's also possible that Microsoft - which hasn't commented publicly on the case - may offer a settlement rather than risk setting a precedent or facing a class action suit for other people affected by the same bug.

What's Your Opinion?

Have you encountered a similar problem? Should Microsoft be held responsible in principle for the lost business? Is the $1.75 million claim reasonable?

Rate this article: 
Average: 4.9 (9 votes)

Comments

Dennis Faas's picture

Speaking from personal experience, Google is exactly the same. I have had bots clicking on my Google ads with an estimated $36,000 USD loss in fraudulent clicks and Google reps simply ignore me. I have recorded all phone conversations with their reps where they claim to look into it, but then fail to provide any update. I've called and complained repeatedly, filed tickets in their system, but am repeatedly ignored. I've since stopped advertising with Google.

Unrecognised's picture

You're also very tolerant and moderate. The BS you've endured is truly heroic, before dumping that egregious shower of crooks. If only we could all do so simultaneously that would teach them how to melt away like the wicked witch of the west.

Chuckster's picture

Two-step verification overall is not a terrible thing, but it is cumbersome, troublesome, and time-consuming to endure. Having to open another app or text is more the rule if you want to receive the code. Without cell or email, you must surrender one adding your contact info to their remote database. Google is notorious for soliciting your text number under the fear and guise of "in case you are locked out of your account" BS. Forget the old secret questions, they just want to know how to track you and send you junk ads. Most of us now only have one cell number these days we rely upon. I maintain several emails for that purpose alone, and will likely be getting a second disposable flip phone cell number to further my anonymity. The "WE have sent a code to your email or text' is one message that is tiring and old. Wait till both M$ and G$$G both replace their call centers with AI bots......

Unrecognised's picture

You're very tolerant and moderate. I agree with you fully, with added expletives.

jimain's picture

I tolerated Teams being imposed on me for a year before I got someone in a Chat session to tell me how to get out of it. That was this morning. I haven't logged out and in again, where until now Teams would have grabbed me right up front. Hope I'm free of Teams. when I asked the Chat person to get me out of Teams, they asked me what was my issue with Teams. None wasn't enough for them.

I've had a string of problems with Excel not working as it used to, and Chat personnel don't even know what I'm talking about. Trial and error again, just like 25 years ago!

Unrecognised's picture

I hate them. I've set the email account with a password, and invented secret questions in case of further verification needed. What I never asked for, and DO NOT WANT, is ANY. OTHER. BULLSHIT! -no tracking of IP, no browser fingerprinting, no text messages with verification codes to phones, or emails to linked email addresses.

It's my account and my choice (and responsibility) to conserve my login details. The same thing happened to me, the same vicious cycle, as this guy. As far as I'm concerned, an account name and a password and some preset questions are all this private company have a right to, from me. Especially considering that is all they actually asked for! As for phone numbers, to hell with gugol! I've taken out an email account with Yandex, who required (at least at time of rego) no such thing.

I want my privacy and I want them to stay the hell out of my ether with their intrusive sneaky evilness.

bk27's picture

The Microsoft password reset system clearly needs a bit more polish.

I know a number of people who have fallen foul of the reset system after e.g. replacing their phone and/or phone number, forgetting their password and then not being able to find a way to reset it via the automated reset system.

007Geek's picture

"There's certainly an argument that Schlachter took a gamble in relying on the email for so much of his business. However, he argues that Microsoft is responsible because it actively marketed the service as suitable for business use."

I don't see how he did take a gamble? But you could say that for any service provider you sign up to. The service he signed up to, is a paid service, and marketed specifically to businesses. What was he supposed to do, have a different backup email address, just in case his main mail provider failed him? I don't think that's reasonable.

"The case could come down to the small print of any user agreement he signed up to."
You could put all kinds of cr*p into a user agreement, doesn't necessarily mean it's enforceable.

I say good luck to him!