Well, this is embarrassing.
The US Department of State has confirmed that it has suffered a data breach which exposed the personally identifiable information of some employees.
News of the breach was first reported by Politico, who pointed out that the department has often been a target for state-sponsored hacks.
(Perhaps the most notable incident occurred in 2014 when attacked by Russian hackers, where an NSA Deputy Director described the battle for control over the State Department’s systems as virtually “hand-to-hand combat.”)
According to reports, the State Department detected “suspicious activity” against one of its email systems, exposing information about an undisclosed number of employees.
“The Department recently detected activity of concern in its unclassified email system, affecting less than 1 per cent of employee inboxes.”
Affected employees have been notified, and there has been no detection of suspicious activity related to the Department’s classified email system.
TechCrunch points out that earlier this year an analysis of federal cybersecurity measures determined that only 11% of the State Department’s devices are protected with some form of multi-factor authentication.
Google, for instance, recently underlined how successful their adoption of multi-factor authentication had been - noting that none of the technology giant’s 85,000 employees had been successfully phished on their work-related accounts since early 2017, when staff were given hardware security keys.
As five senators pointed out in a letter to Secretary of State Mike Pompeo, that is a breach of the Federal CyberSecurity Enhancement Act which requires all executive branch agencies to enable multi-factor authentications for all accounts with “elevated privileges”.
Multi-factor authentication is not a guarantee that an account cannot be hacked, but it does make it significantly harder for hackers to breach accounts and steal sensitive data.
You would like to think that the US Department of State would understand the importance of rolling out multi-factor authentication. After all, there’s been rather a lot in the news of late about how hackers from other countries might have an unhealthy interest in breaking into US government email accounts…
Read more about two-step verification:
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security