Slow roll-out of two factor authentication blamed after State Department admits email data breach
The US State Department has suffered a data breach of an email system that has compromised the personal information of some staffers.
It seems that an “unclassified email system” was breached at the State Department in early September. The department has been criticised in the past for its poor security in audits.
Indeed, a recent General Services Administration report found the State department had only deployed multi-factor authentication across 11 percent of agency devices.
“We have determined that certain employees’ personally identifiable information (PII) may have been exposed,” the alert said. “We have notified those employees.”
The message then went on to describe the breach as “activity of concern … but said that it had affected less than 1 percent of employee inboxes.”
The breach did not impact the State Departments classified email system, but the State Department alert was marked as “Sensitive But Unclassified.”
The State Department said that it was offering affected staffers three years of free credit monitoring in addition to other identity monitoring services.
It also said it was working with “partner agencies” to conduct a “full assessment.”
The fact that the US State Department had only rolled out two-factor authentication to 11 percent of required agency devices, despite a legal requirement to secure all accounts with higher privileges, prompted an immediate response from security experts.
“Sadly, many important departments in the US government continue to lag when it comes to computer security,” said Gary McGraw, VP of security technology at Synopsys. “If the State Department has trouble rolling out two factor authentication to protect the majority of its users (something that many corporations have had in place for years), how can we expect other aspects of its operations to be secure?”
“This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector,” he added.
This regret about the public sector was echoed by Sam Curry, chief security officer at Cybereason.
“In the past, the State Department has turned down help from other agencies to help them identify problems and improve,” said Curry. “There are a lot of reasons for this such as they don’t want national security agencies snooping through their networks, can’t afford any down time, etc.”
“However, considering the immense target that the Department represents, it is not a very compelling case,” said Curry. “One of the other challenges they face is the government procurement process. It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do and fundamentally this is likely a hack that led to a breach and not some type of insider issue.”
“It’s no more or no less, and how it is handled, the context of it as an incident, the PII exposed, the response and the future readiness by the State Department and other agencies is what matters,” he concluded.
Do you know all about security? Try our quiz!