State Department data breach exposes employee info

The U.S. State Department confirmed its unclassified email system was breached, leading to the exposure of personal information for a small number of employees.

The State Department data breach occurred in the agency's cloud-based email system; however, it is currently unclear exactly when the breach occurred, who was behind the attack or exactly how many employees were affected.

According to an alert provided to Politico on Sept. 7, 2018, the State Department detected "activity of concern" in the agency's unclassified email system that affected the personally identifiable information of "less than 1% of employee inboxes."

"We have taken steps to secure our system. We have not detected activity of concern in the Department's classified email system," the Department wrote in the alert. "We determined that certain employees' personally identifiable information (PII) may have been exposed. We have notified those employees. The Department takes the protection of privacy and personal information very seriously. In an abundance of caution, we are offering three years of credit monitoring, in addition to other identity monitoring services to protect information of those employees."

This was not the first State Department data breach involving its unclassified email system. In October 2014, the department's email system was hacked at the same time the White House detected suspicious activity on the unclassified Executive Office of the President network. The Department claimed at the time that it was working to bolster security on its unclassified email system.

The recent State Department data breach is under investigation. The Department did not respond to requests for comment at the time of this post.

Systems which authenticate users based solely on a password are simply not secure.

Just days after that alert on Sept. 11, five senators -- Ron Wyden (D-Ore.), Ed Markey (D-Mass.), Jeanne Shaheen (D-N.H.), Cory Gardner (R-Colo.) and Rand Paul (R-Ky.) -- sent a letter to Secretary of State Mike Pompeo regarding the cybersecurity of the agency. The letter appeared to be prompted by a recent General Services Administration (GSA) cybersecurity assessment and not specifically the State Department breach, but the senators were worried about the need for multi-factor authentication (MFA) in the agency.

The senators noted that the GSA report found that the State Department had only deployed MFA to 11% of agency devices. Additionally, a separate report by the Department of State's Inspector General stated that "vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems" were exploited during testing.

"This password-only approach is no longer sufficient to protect sensitive information from sophisticated phishing attempts and other forms of credential theft," the senators wrote. "We are sure you will agree on the need to protect American diplomacy from cyberattacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with the federal law requiring agency use of MFA."

Craig Young, computer security researcher for the Vulnerability and Exposures Research Team at Tripwire, agreed with the senators that MFA should be implemented.

"Password-based security is entirely insufficient at protecting large numbers of users from determined attackers. A long history of major breaches has thoroughly demonstrated that people generally stink at selecting passwords and tend to use the same (or similar) passwords across many sites. Systems which authenticate users based solely on a password are simply not secure," Young wrote via email. "Although not foolproof, the use of multi-factor authentication schemes can greatly reduce the chances of account compromise."