State Department
State Department employees had their personal information exposed by a breach of an unclassified email system. Here, the State Department is seen in Washington, D.C., Nov. 29, 2010. NICHOLAS KAMM/AFP/Getty Images

The State Department recently confirmed that personal information of some of its employees was exposed by a potential personally identifiable information (PII) data breach recently. The department sent out a warning Sept. 7 to a number employees who may have been affected by the breach.

"The department recently detected the activity of concern in its unclassified email system affecting less than 1% of employees inboxes," the warning read. The warning also stated this "activity of concern" was not reported in any of the department's classified email systems. According to the department's own records, it employs 69,000 people, of which about 600-700 were affected by the breach.

The warning established that employees' PII may have been exposed. However, it did not specify exactly what information had been accessed and it was not yet known who might be responsible for the network breach. The department was investigating the cause by working with partner agencies to conduct a full assessment.

A recent General Services Administration report showed the State Department had deployed multi-factor authentication (MFA) across only 11 percent of agency devices. It also said 100 percent of the users are required to deploy this authentication process.

Five senators, who are also members of the Senate Committee on Foreign Relations, requested an official briefing from Secretary of State Mike Pompeo on how the department was implementing federal cybersecurity standards where it currently lagged behind other agencies. The official report from the senators, dated Sept 11., also questioned the lack of authentication process currently deployed.

"We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency to use MFA," the senators' draft read.

“Sadly, many important departments in the US government continue to lag when it comes to computer security,” Gary McGraw, vice president of security technology at Synopsys, said. “If the State Department has trouble rolling out two-factor authentication to protect the majority of its users (something that many corporations have had in place for years), how can we expect other aspects of its operations to be secure?”

“This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector,” McGraw added.

Data breach incidents are at an all-time high, and a recent example was the hacking of GovPayNet. It is an online payment solution catering to 2,300 government agencies from 35 states, and in the hack, over 14 million customer records were leaked. It was reported that the organization's location tracking service was being misused by law enforcement officials, which was then stolen by hackers by breaking into the company's system. Following this, the company said it would continue to evaluate security.

RELATED STORIES
Privacy Hacking