The U.S. State Department confirmed it suffered a data breach that exposed employee data; the breach affected the State Department\u2019s unclassified email system.It\u2019s not like the agency suddenly decided to tell the public about the breach, though. The incident came to light only after Politico got hold of a Sept. 7, 2018,\u00a0\u201cSensitive but Unclassified\u201d notice about the breach.After a State Department spokesperson confirmed the compromise of its email system, Politico was told, \u201cThis is an ongoing investigation, and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment.\u201dThe breach announcement claimed the detected activity in its unclassified email system affected \u201cless than 1% of employee inboxes.\u201d The cloud-hosted email service used by the State Department for unclassified work is Microsoft Office 365, according to TechCrunch.\u201cWe determined that certain employees\u2019 personally identifiable information (PII) may have been exposed,\u201d the notice reads. \u201cWe have notified those employees.\u201dIf the State Department\u2019s ongoing investigation determines more employees were affected by the breach, then they will be notified.As happens after any breach anywhere, the hacked organization claims to value the privacy of those affected. Most companies toss in a comment about how important security and privacy is to them. The State Department left out security, saying that it \u201ctakes the protection of privacy and personal information very seriously.\u201dState Department's history of security failuresThe Department of State claimed it took \u201csteps to secure its system,\u201d but the agency has a history of fail when it comes to security.U.S. Senators Ron Wyden (D-Ore.), Rand Paul (R-Ky.), Edward Markey (D-Mass.), Cory Gardner (R-Colo.), and Jeanne Shaheen (D-N.H.) sent a letter (pdf) on Sept. 11, 2018, to Secretary of State Mike Pompeo, saying the \u201cDepartment of State is failing to meet federal cybersecurity standards\u201d despite the Federal Cybersecurity Enhancement Act of 2015, which required federal agencies to improve cybersecurity.Citing a 2018 General Service Administration assessment that found the State Department had deployed multi-factor authentication (MFA) to only 11% of State Department devices, the five senators stressed the need for MFA because it would make it \u201csignificantly harder for foreign governments or criminals to access accounts.\u201dThe senators added that the Department of State\u2019s Inspector General (IG) \u201cfound last year that 33% of diplomatic missions failed to conduct even the most basic cyber threat management practices, such as regular reviews and audits. The IG also noted that experts who tested these systems \u2018successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems.\u2019\u201dThey asked what actions the State Department has taken after its cyber readiness was found to be \u201chigh risk,\u201d as well as what the agency was doing to \u201crectify the near total absence of multifactor authentication.\u201d Additionally, they asked for statistics about cyber attacks that have been launched in the past three years against Department of State systems location abroad. The senators want responses to the three questions by Oct. 12, 2018.