State Department confirms breach of unclassified email system

The U.S. State Department confirmed it suffered a data breach that exposed employee data; the breach affected the State Department’s unclassified email system.

It’s not like the agency suddenly decided to tell the public about the breach, though. The incident came to light only after Politico got hold of a Sept. 7, 2018, “Sensitive but Unclassified” notice about the breach.

After a State Department spokesperson confirmed the compromise of its email system, Politico was told, “This is an ongoing investigation, and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment.”

The breach announcement claimed the detected activity in its unclassified email system affected “less than 1% of employee inboxes.” The cloud-hosted email service used by the State Department for unclassified work is Microsoft Office 365, according to TechCrunch.

“We determined that certain employees’ personally identifiable information (PII) may have been exposed,” the notice reads. “We have notified those employees.”

If the State Department’s ongoing investigation determines more employees were affected by the breach, then they will be notified.

As happens after any breach anywhere, the hacked organization claims to value the privacy of those affected. Most companies toss in a comment about how important security and privacy is to them. The State Department left out security, saying that it “takes the protection of privacy and personal information very seriously.”

State Department’s history of security failures

The Department of State claimed it took “steps to secure its system,” but the agency has a history of fail when it comes to security.

U.S. Senators Ron Wyden (D-Ore.), Rand Paul (R-Ky.), Edward Markey (D-Mass.), Cory Gardner (R-Colo.), and Jeanne Shaheen (D-N.H.) sent a letter (pdf) on Sept. 11, 2018, to Secretary of State Mike Pompeo, saying the “Department of State is failing to meet federal cybersecurity standards” despite the Federal Cybersecurity Enhancement Act of 2015, which required federal agencies to improve cybersecurity.

Citing a 2018 General Service Administration assessment that found the State Department had deployed multi-factor authentication (MFA) to only 11% of State Department devices, the five senators stressed the need for MFA because it would make it “significantly harder for foreign governments or criminals to access accounts.”

The senators added that the Department of State’s Inspector General (IG) “found last year that 33% of diplomatic missions failed to conduct even the most basic cyber threat management practices, such as regular reviews and audits. The IG also noted that experts who tested these systems ‘successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems.’”

They asked what actions the State Department has taken after its cyber readiness was found to be “high risk,” as well as what the agency was doing to “rectify the near total absence of multifactor authentication.” Additionally, they asked for statistics about cyber attacks that have been launched in the past three years against Department of State systems location abroad. The senators want responses to the three questions by Oct. 12, 2018.