US Dept of State says attack on email system exposed employees’ personal data

Only 11% of agency devices have had multi-factor authentication rolled out to them.

US Dept of State says data breach exposed employees' personal data

Well, this is embarrassing.

The US Department of State has confirmed that it has suffered a data breach which exposed the personally identifiable information of some employees.

News of the breach was first reported by Politico, who pointed out that the department has often been a target for state-sponsored hacks.

(Perhaps the most notable incident occurred in 2014 when attacked by Russian hackers, where an NSA Deputy Director described the battle for control over the State Department’s systems as virtually “hand-to-hand combat.”)

According to reports, the State Department detected “suspicious activity” against one of its email systems, exposing information about an undisclosed number of employees.

The Department recently detected activity of concern in its unclassified email system, affecting less than 1 per cent of employee inboxes.”

Affected employees have been notified, and there has been no detection of suspicious activity related to the Department’s classified email system.

TechCrunch points out that earlier this year an analysis of federal cybersecurity measures determined that only 11% of the State Department’s devices are protected with some form of multi-factor authentication.

Google, for instance, recently underlined how successful their adoption of multi-factor authentication had been - noting that none of the technology giant’s 85,000 employees had been successfully phished on their work-related accounts since early 2017, when staff were given hardware security keys.

As five senators pointed out in a letter to Secretary of State Mike Pompeo, that is a breach of the Federal CyberSecurity Enhancement Act which requires all executive branch agencies to enable multi-factor authentications for all accounts with “elevated privileges”.

Multi-factor authentication is not a guarantee that an account cannot be hacked, but it does make it significantly harder for hackers to breach accounts and steal sensitive data.

You would like to think that the US Department of State would understand the importance of rolling out multi-factor authentication. After all, there’s been rather a lot in the news of late about how hackers from other countries might have an unhealthy interest in breaking into US government email accounts…

Tags: , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.