The US State Department has confirmed an email security breach which may have affected hundreds of employees, exposing their personal information to attackers.
Reports emerged on Monday that the incident earlier this year affected “less than 1% of employee inboxes.”
“We have determined that certain employees’ personally identifiable information (PII) may have been exposed,” it reportedly noted. “We have notified those employees.”
According to State Department figures, it employs nearly 70,000 staff, meaning in the region of 700 could be affected by the breach.
It’s not known how the attack occurred, although it affected the department’s cloud-hosted email service and not a nominally more secure classified system.
Government auditors have criticized the department in the past for failing to meet cybersecurity best practice standards.
As a result, several senators wrote to secretary of state Mike Pompeo last week demanding an update on its efforts to comply.
“According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law — the Federal Cybersecurity Enhancement Act — requiring all executive branch agencies to enable MFA for all accounts with ‘elevated privileges’,” they noted.
“Similarly, the Department of State’s Inspector General (IG) found last year that 33% of Diplomatic Missions failed to conduct even the most basic cyber threat management best practices, like regular reviews and audits. The IG also noted that experts who tested these systems ‘successfully exploited vulnerabilities in email accounts of department personnel as well as department applications and operating systems'.”
Gary McGraw, vice president of security technology at Synopsys, argued that the department is not alone in lagging on cybersecurity.
“If the State Department has trouble rolling out two-factor authentication to protect the majority of its users, something that many corporations have had in place for years, how can we expect other aspects of its operations to be secure? This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector,” he added.
Sam Curry, chief security officer at Cybereason, claimed that the US government procurement process is holding it back.
“It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do," he argued. "Fundamentally this is likely a hack that led to a breach and not some type of insider issue."