US Dept of State says attack on email system exposed employees’ personal data

Only 11% of agency devices have had multi-factor authentication rolled out to them.

Graham Cluley
Graham Cluley
@[email protected]

US Dept of State says data breach exposed employees' personal data

Well, this is embarrassing.

The US Department of State has confirmed that it has suffered a data breach which exposed the personally identifiable information of some employees.

News of the breach was first reported by Politico, who pointed out that the department has often been a target for state-sponsored hacks.

Sign up to our free newsletter.
Security news, advice, and tips.

(Perhaps the most notable incident occurred in 2014 when attacked by Russian hackers, where an NSA Deputy Director described the battle for control over the State Department’s systems as virtually “hand-to-hand combat.”)

According to reports, the State Department detected “suspicious activity” against one of its email systems, exposing information about an undisclosed number of employees.

“The Department recently detected activity of concern in its unclassified email system, affecting less than 1 per cent of employee inboxes.”

Affected employees have been notified, and there has been no detection of suspicious activity related to the Department’s classified email system.

TechCrunch points out that earlier this year an analysis of federal cybersecurity measures determined that only 11% of the State Department’s devices are protected with some form of multi-factor authentication.

Google, for instance, recently underlined how successful their adoption of multi-factor authentication had been – noting that none of the technology giant’s 85,000 employees had been successfully phished on their work-related accounts since early 2017, when staff were given hardware security keys.

As five senators pointed out in a letter to Secretary of State Mike Pompeo, that is a breach of the Federal CyberSecurity Enhancement Act which requires all executive branch agencies to enable multi-factor authentications for all accounts with “elevated privileges”.

Multi-factor authentication is not a guarantee that an account cannot be hacked, but it does make it significantly harder for hackers to breach accounts and steal sensitive data.

You would like to think that the US Department of State would understand the importance of rolling out multi-factor authentication. After all, there’s been rather a lot in the news of late about how hackers from other countries might have an unhealthy interest in breaking into US government email accounts…

Read more about two-step verification:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.